Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Email Authentication: What you need to know

Email Authentication: What you need to know

Wildbit

April 16, 2018
Tweet

More Decks by Wildbit

Other Decks in Programming

Transcript

  1. Marek Loder
    Customer Success
    Email Authentication
    What you need to know
    Patrick Graham
    Customer Success

    View full-size slide

  2. • Spend my days at Postmark onboarding new clients
    • Work out of our headquarters here in Philadelphia
    • Big fan of the great outdoors
    • Newly minted private pilot
    • Music and coffee aficionado.
    • I spend my days at Postmark troubleshooting
    technical problems for our customers
    • Work remotely from the Pacific Northwest.
    Marek Loder
    Patrick Graham

    View full-size slide

  3. What is Postmark?
    A fast & reliable transactional-only email
    platform for web applications
    Your customers expect application emails
    to arrive immediately, not eventually.
    Reaching the inbox isn’t enough

    View full-size slide

  4. 1. What are the authentication methods and how do they work?
    2. Why are they important for you?
    What are you going to learn?

    View full-size slide

  5. Image source: https://www.flickr.com/photos/eelssej_/413385838
    Why do I need email authentication?

    View full-size slide

  6. Unauthenticated
    PayPal phishing email

    View full-size slide

  7. 1. Protect Reputation
    2. Protect Deliverability
    Email Authentication Methods
    SPF, DKIM, and DMARC

    View full-size slide

  8. Whitelist & Blacklist
    SPF
    1

    View full-size slide

  9. ‘From Address’:
    Return-Path:
    Who the message was sent from
    Where the message was sent from

    View full-size slide

  10. Github’s SPF Record
    v=spf1 ip4:192.30.252.0/22 include:_spf.google.com include:mail.zendesk.com ~all
    This is an SPF record
    Defines an IP range
    Google and ZenDesk
    mail servers
    Accept all mail. (Soft Fail)

    View full-size slide

  11. Github’s SPF Record
    v=spf1 ip4:192.30.252.0/22 include:_spf.google.com include:mail.zendesk.com ~all
    This is an SPF record
    Defines an IP range Accept all mail. (Soft Fail)
    Google and ZenDesk
    mail servers

    View full-size slide

  12. SPF Gotchas…

    View full-size slide

  13. Only use one SPF record
    v=spf1 include:_spf.google.com ~all
    TXT
    v=spf1 include:mail.zendesk.com ~all
    TXT
    v=spf1 include:_spf.google.com
    include:mail.zendesk.com ~all
    TXT


    SPF Gotchas

    View full-size slide

  14. Only 10 lookups
    SPF Gotchas

    View full-size slide

  15. 2
    Domain Keys Identified Mail
    DKIM

    View full-size slide

  16. 1. Private key
    2. Public key
    3. Signature
    DKIM Components

    View full-size slide

  17. DKIM Private Key
    -----BEGIN RSA PRIVATE KEY-----
    MIICXgIBAAKBgQDWnZ5hejTvASYrXmwk/hHOsAFDri2zWYnX2KD+yKB7OG6eVqd6
    L0HxcY8ds7HJrEaNtVMoic7XazqHyfhyTagPQ9z1ijdQTAhCwXpO4GOutu5tbTcN
    bVIgWH/hE8OnDOKuCbLn79VYfIQEu9bnOyKGreU9kuxYROv7737OhnwiEwIDAQAB
    AoGBAJvwbPtA86NR/2z1r7h1T3UR1+lYbuZpQcovIlPebRT7XQz5w7j5C34m2Clp
    vt3dqmoe/WxwLXXC+QVfUIGlQV15KmA+2+jjYwVCC0lfLsp+xZxnvOyOcCoppbv7
    Lbqt9gmF/JwPOUYq3KD+iVwpKiE89Y5DBOFBmaCk6kA4IyXxAkEA9OK5xX9e9fdf
    MzdJamQ56oMF5CkspVfCCFI4R5zwkRE4R+1pDgYRpvxe2eHk+gEw7nsMpghh6Von
    begKCr+2yQJBAOBbMWF3Q+556TuAKnCgWd9ZD4BcBEboMFwwXDCaewFVM6dHHcKS
    wySKyHBP0QjFoP7ESrHglxC/PWqBQ0TbE/sCQBeKZAlUQTCr4v7tZaVQlTCx/7L7
    MkuCsChUnwxjTczkNuDTNbIfazr+L7AKQxS1YJrMQV8El0TzYa7zC2QVIeECQQCN
    9aXdQhXdw43sdEBmW1ACntvMIG0kYK6Y5pCuwFCsmzi/06PlBfAsIxSI3DgsEMC5
    84I/4xgzJI674WarHuQZAkEAqrceOh0yLADMAJlztXsbh96fk//AtPn20FdW/0dE
    SFGvG8GqV7B99nj/O1BV6V5mfO3bzCtleAJbaptniIL56A==
    -----END RSA PRIVATE KEY-----
    Stored secretly
    by the sender

    View full-size slide

  18. DKIM Public Key
    google._domainkey.github.com
    Stored publicly in the
    sending domain’s DNS

    View full-size slide

  19. DKIM Public Key
    google._domainkey.github.com
    Selector
    DKIM specific
    subdomain
    Signing domain

    View full-size slide

  20. DKIM Public Key
    google._domainkey.github.com
    Selector
    DKIM specific
    subdomain
    Signing domain

    View full-size slide

  21. DKIM Public Key
    google._domainkey.github.com
    Selector
    DKIM specific
    subdomain
    Signing domain

    View full-size slide

  22. DKIM Public Key
    google._domainkey.github.com
    v=DKIM1\; k=rsa\;
    p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCCqkSdyfFtn4S3VkICnzOvsi
    wAZ60Z79uN4YpwgAzrScaDmn0IfgG9I6AKklaPAzmCIOh1Rl2pB/
    O9nMlEhVpvpNyauFXxhGEkqWp4PeMaoAl2j/uy8lhk1EIoEfM42Ifzm6GMymG/
    c61rOuorAqQsGAdUif2HyOmJYdXi8x7zfQIDAQAB
    TXT

    View full-size slide

  23. DKIM Signature
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
    d=wildbit.com; s=google;
    h=from:mime-version:date:message-id:subject:to:cc;
    bh=i/ep9kKrYpLMJ4OkXiiAVdd16bxlMgi4OcpDEQzV55U=;
    b=CgpzvIVR3mMRXmktyTXAUBFYM3MNgM77WrpGmSqy2Lyeq6aObuzcBCDgh0ZTkgw8lI
    A8kVodA4EpFOuc66GrJtLFBoy1MxWzUJP25WgAIPj0plbFObXlpJJKMDC0bEoXSnUZrB
    DVMEDhw8fyP73mgKKfGGzrfja2nE/kUv1WdfU=
    SMTP header

    View full-size slide

  24. 3
    Domain-based Message
    Authentication and Conformance
    DMARC

    View full-size slide

  25. DMARC
    Special DMARC
    subdomain
    _dmarc.gmail.com
    v=DMARC1\; p=none\; rua=mailto:[email protected]
    TXT

    View full-size slide

  26. DMARC
    v=DMARC1\; p=none\; rua=mailto:[email protected]
    _dmarc.gmail.com
    This is a DMARC record Reporting
    Policy

    View full-size slide

  27. DMARC
    v=DMARC1\; p=none\; rua=mailto:[email protected]
    _dmarc.gmail.com
    This is a DMARC record Reporting
    Policy

    View full-size slide

  28. DMARC Tool
    A free tool to monitor & implement DMARC
    dmarc.postmarkapp.com

    View full-size slide

  29. Checking Validity
    Check DKIM, SPF, and
    DMARC validity in Gmail

    View full-size slide

  30. SPF passing and DMARC SPF passing
    are not the same thing.
    DMARC SPF alignment requires that the From address
    domain matches the Return-Path domain
    DMARC - SPF alignment gotcha

    View full-size slide

  31. SPF Domain-based way to say what IPs are
    allowed to send email for you.
    DKIM Message-based signatures to verify your
    email is unmodified.
    DMARC Domain-based way to tell receivers how to
    handle authentication failures for your domain.
    Email Authentication Methods

    View full-size slide

  32. A few reasons to consider Postmark…

    View full-size slide

  33. Authenticate Sending Domains: DKIM & Return-Path
    Custom
    Return-Path
    DKIM

    View full-size slide

  34. Unprecedented Troubleshooting
    45 days of
    email activity
    Search all
    your messages
    Detailed message
    events
    Advanced
    filtering

    View full-size slide

  35. Detailed message events,
    grouped by recipient
    Full content previews
    (HTML & Plain Text)
    Message overview

    View full-size slide

  36. Customer support that’s human
    Made the switch to @postmarkapp today.
    The customer service and delivery rates are
    awesome.

    Samuel Goudie
    “ Postmark has stellar customer service. I
    don't think I have ever waited more than a
    few minutes for a response to an email.
    Christopher Dundy

    Ashley Dana Marek Patrick

    View full-size slide

  37. DMARC Reports MailMason SpamCheck StyleMerge MailBrush
    Templates Mustachio Webhooks MailHandler
    postmarkapp.com/labs
    Check out our free & open source tools at…

    View full-size slide

  38. Part of the family.
    postmarkapp.com
    Questions?
    Email [email protected]
    @postmarkapp

    View full-size slide