Posts Tagged ‘DKIM’

What a mission this was!

Oracle netsuite just flat out refuse to give you a list of IP Address’ for their sending servers

“Support will not provide a list of NetSuite IP addresses” https://docs.oracle.com/cloud/latest/netsuitecs_gs/NSADM/NSADM.pdf

Ontop of this there’s no way to use an internal domain name to send emails like noreply@email.netsuite.com , so there is no clear way to whitelist your spamfilter  ……

After back and forth with their support , they finally gave us sent-via.netsuite.com which you can do a DNS lookup of to get the IPs ( You will have to monitor this for updates ) . Mimecast allows you to whitelist via SPF record so we could add this

 

Name: sent-via.netsuite.com

> set type=txt
> sent-via.netsuite.com
Server: dns.google
Address: 8.8.8.8

Non-authoritative answer:
sent-via.netsuite.com text =

“google-site-verification=MgKgRWwbn2QifDQBVdRu-IQLvbiR8GFB1hNDz_fmzPU”
sent-via.netsuite.com text =

“v=spf1 include:mailsenders.netsuite.com include:_spf.sparkpostmail.com -all”
> mailsenders.netsuite.com
Server: dns.google
Address: 8.8.8.8

Non-authoritative answer:
mailsenders.netsuite.com text =

“v=spf1 ip4:167.216.129.180/32 ip4:167.216.129.182/31 ip4:167.216.129.184/29 ip4:167.216.129.192/29 ip4:167.216.129.200/32 ip4:167.216.129.210/32 ip4:64.89.45.192/30 “
“ip4:64.89.45.196/32 ip4:208.46.212.208/31 ip4:208.46.212.210/32 ip4:185.72.128.75/32 ip4:185.72.128.76/32 ip4:212.25.240.83/32 ip4:212.25.240.84/31 ip4:72.34.168.76/32 “
“ip4:130.61.9.72/32 ip4:130.61.68.235/32 ip4:132.145.13.209/32 ip4:132.145.11.129/32 ip4:152.67.105.195/32 ip4:140.238.193.139/32 ip4:152.67.105.20/32 ip4:72.34.168.86/32 ip4:72.34.168.85/32 “
“ip4:64.89.44.85/32 -all”
> _spf.sparkpostmail.com
Server: dns.google
Address: 8.8.8.8

Non-authoritative answer:
_spf.sparkpostmail.com text =

“v=spf1 exists:%{i}._spf.sparkpostmail.com ~all”
>

 

I also recommend you change the From address to a generic netsuite@yourdomain.com so easy to monitor

 

Dkim

NetSuite Email Campaign Best Practices

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Sender Rewriting Scheme (SRS) functionality was added to Office 365 ( and other platforms ) to resolve a problem in which autoforwarding is incompatible with SPF.

SRS rewriting does not fix the issue of DMARC passing for forwarded messages. Although an SPF check will now pass by using a rewritten P1 From address, DMARC also requires an alignment check for the message to pass. For forwarded messages, DKIM always fails because the signed DKIM domain does not match the From header domain. If an original sender sets their DMARC policy to reject forwarded messages, the forwarded messages are rejected by Message Transfer Agents (MTAs) that honor DMARC policies.

 

So if you are forwarding emails , you can set SPF to Hard Fail , but DMARC you will not be able to fail due to DKIM

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently had a customer have a bounce back for an email someone tried to send him with the error

 

DNS Authentication – DMARC Fail

 

DMARC Utilises DKIM and SPF records to monitor senders and act accordingly. I checked the domain of the sender’s email using https://otalliance.org/resources/spf-dmarc-tools-record-validator and the domain had no DKIM or SPF but did have a DMARC Record!

You need to have SPF and DKIM records before DMARC

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

An email from this sender could not be delivered to your mailbox as it has failed DKIM verification. To comply with government security standards the ATO cannot accept emails that fail DKIM integrity checks because the email cannot be verified as genuine.

Currently there is an issue causing emails from organisations using Office 365 to fail DKIM verification.

Office 365 has implemented its own DKIM features and customers must ensure that outbound DKIM is correctly configured for their domain (DNS) and namespace (Office 356 Administration).

 

Resolution

How to enable DKIM on 365

You will need to enable DKIM outbound DNS Verification on either 365 

selector1._domainkey.domain.com
selector2._domainkey.domain.com

These need to point to 

selector1-domain-com._domainkey.onmicrosoftalias.onmicrosoft.com
selector2-domain-com._domainkey.onmicrosoftalias.onmicrosoft.com

Your onmicrosoftalias is the domain GUID and can be retrieved from the MX record for your domain

You then need to enable

View Powershell :  

New-DkimSigningConfig –DomainName domain.com –Enabled $true

Or through GUI : 

 

If you send out via another provider e.g. a spam filter you will need to check the method on the spam filter of enabling this

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

ScamThere’s been a new recent wave of spoof emails sent to companies , usually emailed to financial personnel’s pretending to be from the CEO to get quick funds paid and withdrawn.

Spoofing an email address isn’t hard and with the correct background check , spammers get the correct email and sometimes signature of the “CEO”.

How do we stop this?

  1. To start with SPF, DKIM, DMARC records should all be added to the domain to verify the sender to check they are allowed to send from the company domain
  2. You should definitely have an incoming spam filter before Microsoft Exchange , depending if this is a Barracudo box / Post fix / Microsoft Frontbridge you should be able to enable a Rule to SPF check for only your domain. Enabling this for all domains will starting to spam lots of incoming email due to people not having SPF records
  3. Create a quarantine in Exchaneg  – From EMC > Organization Configuration > Hub Transport > Transport Rules create a new transport rule that says:
    From users that are outside the organization
    And when the from address matches text patterns yourdomain.com
    Forward the message to quarantine@yourdomain.com for moderation
    Now, if you have other SMTP servers in or out of your org that send on behalf of your domain, you’ll need to create an exception by adding:
    Except when the message header received matches text patterns smtp.yourdomain.com or smtp.theirdomain.com

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Office-365-New[1]You can forward these emails to : junk@office365.microsoft.com or use the Outlook plugin to report and hopefully Microsoft should block these in future : https://www.microsoft.com/en-us/download/details.aspx?id=18275

 

Microsoft have actually now got a new filtering service for 365 however its paid for and by user you could maybe try : https://products.office.com/en-us/exchange/online-email-threat-protection

It’s not uncommon nowadays to have another third party appliance such as a barracuda or a hosted service such as post fix to filter items before they get to 365. It seems once a spammer figures out how to exploit 365 , all domains get the same spam. 2 layers of protection is safer!

 

1) Make sure your own SPF Records are in check : http://www.spfwizard.net/

2) Get your DKIM records in check : http://blogs.msdn.com/b/tzink/archive/2015/10/08/manually-hooking-up-dkim-signing-in-office-365.aspx

3) Get your DMARC Records in check : http://blogs.msdn.com/b/tzink/archive/2014/12/03/using-dmarc-in-office-365.aspx

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)