Hello everyone, I hope everyone is doing good
It’s been so long since I have posted, but since I am back after a long time I have a lot to say. Stay tuned to get more updates😉
Today let us talk about Email authentication. You might be wondering why email needs authentication. Well, you surely need to be logged into your account to send an email, but that is not what we are going to talk about. We are going to see the 3 main pillars of Email Authentication which allow the emails to land in the inbox, rather than in spam.
What is Authentication?
Authentication is simply the process or action of proving or showing something to be true, genuine, or valid. Authentication is the main step that has to be configured properly in order to prove to the recipient that the email is coming from a genuine resource. Mainly we need to implement SPF, DKIM, and DMARC records to prove the authenticity of emails
What is SPF?
SPF shortly known for Sender Policy Framework is a type of DNS record. It identifies the mail servers and domains that are allowed to send email on behalf of your domain. Receiving servers check your SPF record to verify that incoming messages that appear to be from your organization are sent from servers allowed by you.
Domains have only one SPF record. However, the SPF record for a domain can specify multiple servers and third parties that are allowed to send mail. If you do have two separate SPF TXT record entries, your emails will fail SPF authentication and return a PermError. So to overcome this simply merge all your SPF records into one record and you are good to go.
Want to find out the SPF records of a domain? Navigate here, give in the domain name and get all the information of its SPF records
What is DKIM?
DKIM shortly known for DomainKeys Identified Mail is a method of email authentication that helps prevent spammers and other malicious parties from impersonating a legitimate domain. Spammers try to impersonate the domain name which is the part after @ symbol in your email (user@example.com — here example.com is the domain name) to perform phishing campaigns.
There are two main aspects of DKIM: the DKIM record, which is stored in the Domain Name System (DNS) records for the domain, and the DKIM header, which is attached to all emails from the domain.
A DKIM record stores the DKIM public key — a randomized string of characters that is used to verify anything signed with the private key. Email servers query the domain’s DNS records to see the DKIM record and view the public key. If they match then the email is sent into the mailbox, if not it will be placed in the spam folder or it gets disposed before even reaching the mail server.
Want to see how DKIM looks for a domain, navigate here to find out
What is DMARC?
Domain-based Message Authentication Reporting and Conformance shortly known as DMARC is the standard email authentication method. DMARC helps organizations prevent hackers and other attackers from spoofing their domain. Spoofing is a type of attack in which the From address of an email message is forged.
DMARC is based upon the results of SPF and/or DKIM, so at least one of those has to be in place for the email domain. With DMARC you can tell how to handle the unauthorized use of your email domains by instituting a policy in your DMARC record.
How can the lack of these records impact your domain?
You have seen the importance of each record, so it is recommended to use them to secure your domain. As phishing campaigns are being widely conducted nowadays and most of the data breaches are happening from these campaigns it is the organization’s responsibility to make sure that their customers do not fall for such traps. Just taking a small remedial step can save you a lot worth in the long run. SECURITY IS NOT A BIG STEP TAKEN IN THE FUTURE, SECURITY IS A SMALL STEP TAKEN RIGHT NOW.
Hunt for it…
So now since we knew what these records do, let us know how to find vulnerabilities and report them. If SPF/DKIM record is missing there is no need to report it as we have learned earlier that either SPF/DKIM along with DMARC will be good enough to protect your domain, and this is a P5 vulnerability. But if the DMARC record is missing then you can report it based on the 4 classifications on how their impact can vary. I will not be explaining the process as there is a great blog on it that explains the impact of them in greater detail. So I will link it down. Give it a read and you will be amazed to know how many domains still have such low-hanging fruit.
Reference & Credit for the impact explanation: Prajit Sindhkar
As always check out the scope before you start hunting. Coz most of the organizations keep these issues on the Out Of Scope list. There is a one in all tool that can help you find SPF, DKIM, and DMARC records in one place. It is called MXToolBox. Give it a try, it really is handy.
That’s all from my side. Hope you enjoyed the article as much as I enjoyed writing it. See you all in the next post with another great vulnerability. Check out my Instagram to know more about Tips and Tricks to finding bugs.
Till then take care and Happy Hacking!!!👋👋
