Rakuten DC ü Email Service Provider ü AWS, Azure, GCP ü CRM Solutions(Salesforce etc) ü Common Email Platform ü Service Specific Email System The majority of emails are sent from on-premise common email platforms. Rakuten also support merchant email sending.
and purpose complicate the analysis of email sending. Managing all emails are very difficult. Sender ü Common Email Platform in Rakuten DC ü Service specific Email Server ü Cloud Email Service and 3rd party tools(Marketing tool, CRM such as Salesforce etc…) ü +70 Services ü +48K Merchants ü +2.9K Facilities ü Many Partners Sending Platform
be distinguished from fake and real. [【ご注意ください】楽天カードを装った不審なメール(カード利⽤お知らせメール) ・ https://ichiba.faq.rakuten.net/detail/000007165・2019/10/29] Highlight links to suspicious files
Management Cyber Security Brand Marketing Under information security team initiatives, project members were selected from each organization. Each member was their org leader. Once they aligned with the direction, each member committed their responsibility as org leader.
so that we protect users from email spoofing. Scope ü All Japanese Business Domains ü 100% adaption of DKIM(with First Party Signature) ü Publish DMARC with p=reject ü SPF is optional(as much as possible)
Publish DMARC recode with p=none ü Start receiving DMARC report (rua) ü Understand the From Domain used in your organization ü Understand all email delivery routes • DMARC Record Creation • DNS Record Lookup and Parsing • Report Parsing and Visualization Tools for this Phase https://dmarc.org/resources/deployment-tools/ : 2019.11.06 There is no risk just by issuing a DMARC record. However, we have to carefully grasp the current situation.
and / or SPF. ü The SPF and DKIM domains are aligned with the domain where DMARC was declared. ü Check the authentication result in the mail header. Confirm Authentication-Results, located in email header. ü Confirm that all the emails sent from your organization pass DMARC in the DMARC report. ü Policy change decision making. • Report Parsing and Visualization • Message Validation Tools for this Phase Adaption of DKIM and SPF on the confirmed email sending infrastructure at the previous step.
with small pct(%) ü Increase pct to 100 step by step ü Change to p=reject with small pct ü Increase pct to 100 step by step ü Keep monitoring • Report Parsing and Visualization Tools for this Phase Policies will become stricter(none→quarantine→reject) and wider(pct=5 → 10 …. 100 ) gradually.
to Global Email Box Provider(EBP) such as @gmail.com has doubled in 6 years. Major EBPs are actively using sender authentication. They have been involved in it since the specification discussion.
and analyze DMARC report DKIM & SPF adaption Policy ramp-up decision Initial Auditing Phase Policy Ramp-up Phase Ongoing monitoring Phase p=reject(quarantine and pct are option) Realtime email open rate monitoring in 2 days after changing Verify DMARC report Confirm Number of inquiries to call center DMARC success rate in sending platform Find unknown platform and check DMARC success rate Steps for introducing DMARC. At Rakuten, the goal is basically p=reject.
Rakuten DC ü DKIM: Must be First Party Signature ü SPF: Align with DMARC domain(relaxed) ü DKIM: Must be First Party Signature ü SPF: Align with DMARC domain is optional Pass DMARC based on DKIM. SPF alignment is also supported in Rakuten DC. SPF alignment on 3rd party tool makes maintenance complex.
by subdomain ü Group source IPs by organization domain. (It may be divided by smaller meaningful groups such as transactional IPs and promotional IPs .) ü Analyze the pass rate of DMARC, DKIM, and SPF separately. ü Check if DKIM and SPF are aligned with DMARC domain. ü Check if DMARC failed emails pass ARC. I recommend using the DMARC report analysis tool. However, it is better to use it after understanding the important points for you.
is necessary to implement with many services, we asked for top-down and invited the operators to briefing session. CISO CxO (Executives) Service Director Operator Service Tech External tool Vendors Project Team Technical Assistant Guidance/Manual Seminar/Consultation Describe directly
all domains. Stricter policy for some domains. ü On a volume basis, more than half of the emails have already been p=reject. ü All of new business domain will be applied p=reject as default 7.2% p=reject (Domain) Email sent by p=reject 56% ※ As of 2019/10/29 100% DMARC adaption
large phishing campaigns. There is always a certain amount of unauthorized emails in normal times. One of large service Domain: p=reject 100% Other Major Domains p=reject 100%
analysis of the DMARC report revealed email statistics. ü Your email sending platform ü Number of emails ü DKIM and SPF implementation status ü Number of spoofing emails
The number of phone calls regarding phishing has temporarily decreased by about 50% since the adaptation of DMARC with p=reject. DMARC p=reject implemented on 2017/11 Reject rate against unauthorized email
bytes → Using Base64 Encoding 2. Subject: header line length > 989 bytes → Actually this wasn’t a problem. 3. From(RFC5322.From) : header line length > 257 bytes → We made announcement to shorten it. 4. Subject: header first line is empty or single space → We changed email library at client side. In one of our environment(Postfix + OpenDKIM) had DKIM signature failure cases. Subject: =?ISO-2022-JP?B?GyRCJDMkcyRKGyhC?= =?ISO-2022-JP?B?GyRCJCskcyQ4JEckORsoQg==?= Verification Failure Verification Failure Verification Failure No Signature ※ This is only confirmed for specific version combinations. Newer versions may not have the same problem.
forward email through Mailing List 2) Many Forwarded email from Mail Box Provider Gmail & etc DMARC Report < Mailing List Mail Box Provider 1) 2) Rakuten has a lot of forwarded email because major business model are B to B to C models. For 1), the Merchant was identified from the SPF Authentication Result. Then we asked them to stop forwarding. For 2), we didn’t encounter several failure cases.
necessary to monitor the number of emails that have not arrived unexpectedly due to a defect in sender authentication. At present, there is no way to detect it early, so it is possible to monitor with user engagement KPI such as open rate. Trend of email opening in a campaign
of the most popular email services for customers in Japan. Last year, Yahoo! Japan and Rakuten began displaying brand images using DKIM as a measure against spoofing emails. [楽天サービスに対する不正対策・https://corp.rakuten.co.jp/security/anti-fraud/・2019/10/29] Brand Symbol
technologies and trends. ü Implement best practices in Rakuten services. Rakuten is actively working to improve email security as a large email sender. As part of that activity, I participate in major conferences in this field.