Email Authentication: What you need to know

Transcript

1. Marek Loder Customer Success Email Authentication What you need to

   know Patrick Graham Customer Success

2. • Spend my days at Postmark onboarding new clients •

   Work out of our headquarters here in Philadelphia • Big fan of the great outdoors • Newly minted private pilot • Music and coffee aficionado. • I spend my days at Postmark troubleshooting technical problems for our customers • Work remotely from the Pacific Northwest. Marek Loder Patrick Graham

3. What is Postmark? A fast & reliable transactional-only email platform

   for web applications Your customers expect application emails to arrive immediately, not eventually. Reaching the inbox isn’t enough

4. 1. What are the authentication methods and how do they

   work? 2. Why are they important for you? What are you going to learn?

5. Image source: https://www.flickr.com/photos/eelssej_/413385838 Why do I need email authentication?

6. Unauthenticated PayPal phishing email

7. 1. Protect Reputation 2. Protect Deliverability Email Authentication Methods SPF,

   DKIM, and DMARC

8. Whitelist & Blacklist SPF 1

9. ‘From Address’: <[email protected]> Return-Path: <[email protected]> Who the message was sent

   from Where the message was sent from

10. Github’s SPF Record v=spf1 ip4:192.30.252.0/22 include:_spf.google.com include:mail.zendesk.com ~all This is

    an SPF record Defines an IP range Google and ZenDesk mail servers Accept all mail. (Soft Fail)

11. Github’s SPF Record v=spf1 ip4:192.30.252.0/22 include:_spf.google.com include:mail.zendesk.com ~all This is

    an SPF record Defines an IP range Accept all mail. (Soft Fail) Google and ZenDesk mail servers
12. None

13. SPF Gotchas…

14. Only use one SPF record v=spf1 include:_spf.google.com ~all TXT v=spf1

    include:mail.zendesk.com ~all TXT v=spf1 include:_spf.google.com include:mail.zendesk.com ~all TXT SPF Gotchas

15. Only 10 lookups SPF Gotchas

16. 2 Domain Keys Identified Mail DKIM

17. 1. Private key 2. Public key 3. Signature DKIM Components

18. DKIM Private Key -----BEGIN RSA PRIVATE KEY----- MIICXgIBAAKBgQDWnZ5hejTvASYrXmwk/hHOsAFDri2zWYnX2KD+yKB7OG6eVqd6 L0HxcY8ds7HJrEaNtVMoic7XazqHyfhyTagPQ9z1ijdQTAhCwXpO4GOutu5tbTcN bVIgWH/hE8OnDOKuCbLn79VYfIQEu9bnOyKGreU9kuxYROv7737OhnwiEwIDAQAB

    AoGBAJvwbPtA86NR/2z1r7h1T3UR1+lYbuZpQcovIlPebRT7XQz5w7j5C34m2Clp vt3dqmoe/WxwLXXC+QVfUIGlQV15KmA+2+jjYwVCC0lfLsp+xZxnvOyOcCoppbv7 Lbqt9gmF/JwPOUYq3KD+iVwpKiE89Y5DBOFBmaCk6kA4IyXxAkEA9OK5xX9e9fdf MzdJamQ56oMF5CkspVfCCFI4R5zwkRE4R+1pDgYRpvxe2eHk+gEw7nsMpghh6Von begKCr+2yQJBAOBbMWF3Q+556TuAKnCgWd9ZD4BcBEboMFwwXDCaewFVM6dHHcKS wySKyHBP0QjFoP7ESrHglxC/PWqBQ0TbE/sCQBeKZAlUQTCr4v7tZaVQlTCx/7L7 MkuCsChUnwxjTczkNuDTNbIfazr+L7AKQxS1YJrMQV8El0TzYa7zC2QVIeECQQCN 9aXdQhXdw43sdEBmW1ACntvMIG0kYK6Y5pCuwFCsmzi/06PlBfAsIxSI3DgsEMC5 84I/4xgzJI674WarHuQZAkEAqrceOh0yLADMAJlztXsbh96fk//AtPn20FdW/0dE SFGvG8GqV7B99nj/O1BV6V5mfO3bzCtleAJbaptniIL56A== -----END RSA PRIVATE KEY----- Stored secretly by the sender

19. DKIM Public Key google._domainkey.github.com Stored publicly in the sending domain’s

    DNS

20. DKIM Public Key google._domainkey.github.com Selector DKIM specific subdomain Signing domain

21. DKIM Public Key google._domainkey.github.com Selector DKIM specific subdomain Signing domain

22. DKIM Public Key google._domainkey.github.com Selector DKIM specific subdomain Signing domain

23. DKIM Public Key google._domainkey.github.com v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCCqkSdyfFtn4S3VkICnzOvsi wAZ60Z79uN4YpwgAzrScaDmn0IfgG9I6AKklaPAzmCIOh1Rl2pB/ O9nMlEhVpvpNyauFXxhGEkqWp4PeMaoAl2j/uy8lhk1EIoEfM42Ifzm6GMymG/ c61rOuorAqQsGAdUif2HyOmJYdXi8x7zfQIDAQAB

    TXT

24. DKIM Signature DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wildbit.com; s=google; h=from:mime-version:date:message-id:subject:to:cc; bh=i/ep9kKrYpLMJ4OkXiiAVdd16bxlMgi4OcpDEQzV55U=;

    b=CgpzvIVR3mMRXmktyTXAUBFYM3MNgM77WrpGmSqy2Lyeq6aObuzcBCDgh0ZTkgw8lI A8kVodA4EpFOuc66GrJtLFBoy1MxWzUJP25WgAIPj0plbFObXlpJJKMDC0bEoXSnUZrB DVMEDhw8fyP73mgKKfGGzrfja2nE/kUv1WdfU= SMTP header
25. None

26. 3 Domain-based Message Authentication and Conformance DMARC

27. None

28. DMARC Special DMARC subdomain _dmarc.gmail.com v=DMARC1\; p=none\; rua=mailto:[email protected] TXT

29. DMARC v=DMARC1\; p=none\; rua=mailto:[email protected] _dmarc.gmail.com This is a DMARC record

    Reporting Policy

30. DMARC v=DMARC1\; p=none\; rua=mailto:[email protected] _dmarc.gmail.com This is a DMARC record

    Reporting Policy

31. DMARC Tool A free tool to monitor & implement DMARC

    dmarc.postmarkapp.com

32. Checking Validity Check DKIM, SPF, and DMARC validity in Gmail

33. SPF passing and DMARC SPF passing are not the same

    thing. DMARC SPF alignment requires that the From address domain matches the Return-Path domain DMARC - SPF alignment gotcha

34. SPF Domain-based way to say what IPs are allowed to

    send email for you. DKIM Message-based signatures to verify your email is unmodified. DMARC Domain-based way to tell receivers how to handle authentication failures for your domain. Email Authentication Methods

35. A few reasons to consider Postmark…

36. Authenticate Sending Domains: DKIM & Return-Path Custom Return-Path DKIM

37. Unprecedented Troubleshooting 45 days of email activity Search all your

    messages Detailed message events Advanced filtering

38. Detailed message events, grouped by recipient Full content previews (HTML

    & Plain Text) Message overview

39. Customer support that’s human Made the switch to @postmarkapp today.

    The customer service and delivery rates are awesome. Samuel Goudie “ Postmark has stellar customer service. I don't think I have ever waited more than a few minutes for a response to an email. Christopher Dundy “ Ashley Dana Marek Patrick

40. DMARC Reports MailMason SpamCheck StyleMerge MailBrush Templates Mustachio Webhooks MailHandler

    postmarkapp.com/labs Check out our free & open source tools at…

41. Part of the family. postmarkapp.com Questions? Email [email protected] @postmarkapp