Email

tags : Networking,Infrastructure

The flow §

IMAP/POP/SMTP are application layer protocols.

A ->(IMAP/POP)-> Gmail ->(SMTP)-> Outlook -> (IMAP/POP)->B

Client (MUA) §

• Clients need something that can do things like, retrieve, organize mail etc.
• That something is usually IMAP or POP (old).
• IMAP can’t be used for sending.

Server (MTA) §

• Mail servers and other message transfer agents use SMTP to send and receive mail messages among each other.

DNS Records for email §

Protection	Description	Function
SPF	Ensure domain is allowed to send emails from selected IP(s)	Authentication
DKIM	Authenticate sender using PKI(DNS+Header), also Integrity	Authentication + Integrity
DMARC	What to do if SPF/DKIM fails, policies as DNS TXT records	Advice/Direction
PTR	DNS record, used for anti-spam etc.	Spam protection
MX	Points to SMTP server	SMTP

TXT §

SPF (Sender Policy Framework) §

• Originally created because SMTP does not inherently authenticate the “from” address in an email.
• Historically, SPF had it’s own DNS record type but that’s deprecated now. It’s simply a TXT record now. Because, it isn’t really a DNS issue, except that it lives in DNS.
• 1 domain, 1 SPF record
• SPF lets a mail admin specify what IP addresses are allowed to send email for a domain.
• Eg. v=spf1 ip4:192.0.2.0 ip4:192.0.2.1 include:examplesender.email -all
  • If you send emails from your webhost, whose IP4 address is 192.168.20.25, from another automated server with IP6 range ip6:1080::8:800:68.0.3.1/96 and Zoho, the SPF record should be added like: v=spf1 ip4:192.168.20.25 ip6:1080::8:800:68.0.3.1/96 include:zoho.in ~all
• Eg. v=spf1 include:zoho.in ~all
  • v=spf1 marks this as a SPF TXT record.
  • include:zoho.in means apply the SPF information from zoho.in here too.
  • ~all means anything not covered should be treated as suspect, but not a hard failure.
  • +all means any server can send emails on behalf of your domain. (not common to do so)
• Flow
  • Check the return-path-address ’s SPF
  • Check the ip address of the sender in return-path-address ’s SPF record

DKIM (DomainKeys Identified Mail) §

• Designed to ensure the sender of an email is legitimate(authentication)
• Because signature consists of some header+body, it also ensures intrigity.
• Basically signs(adds to header) each outgoing mail with a private key, and publish the public keys in DNS.
• Receiving server then checks the signatures for each message. (Uses PKI)

• Parts

  • DKIM DNS record (TXT)

    • Name Format: [selector]._domainkey.[domain], selector is provided by email provider(eg. gmail).
    • Content Format: v=DKIM1, p=<public key>

  • DKIM header

    • Attached to emails from the domain (Sign w Private key)
    • Example DKIM header

      v=1; a=rsa-sha256;
              d=example.com; s=big-email;
              h=from : to: subject;
            bh=uMixy0BsCqhbru4fqPZQdeZY5Pq865sNAnOAxNgUS0s=;
        b=LiIvJeRyqMo0gngiCygwpiKphJjYezb5kXBKCNj8DqRVcCk7obK6OUg4o+EufEbB
      tRYQfQhgIkx5m70IqA6dP+DBZUcsJyS9C+vm2xRK7qyHi2hUFpYS5pkeiNVoQk/Wk4w
      ZG4tu/g+OA49mS7VX+64FXr79MPwOMRRmJ3lNwJU=

    • a= are the algorithms used for hashing and signing. (There are two of them here, rsa&sha256)
    • h= lists the header fields that are used to create the signature (here, from,to,subject).
    • bh= is the hash of the email body.
    • b= is the actual signature (h+bh+privatekeysign)
    • The receiver checks the sign(using the DNS public key), then rehashes b to unsure the hash matches.

DMARC (Domain-based Message Authentication Reporting and Conformance) §

• These just tell the receiving mail server what to do if received mail doesn’t pass SPF or DKIM checks. They also allow you to receive reports from providers that support it, saying how many messages passed/failed the tests.
• DMARC is an email authentication method built on top of DKIM and SPF. DMARC describes what to do with an email that fails SPF and DKIM.
• DMARC policies are stored as DNS TXT records.
• Email servers may still mark emails as spam if there is no DMARC record, but DMARC provides clearer instructions on when to do so.

PTR §

When the server on the other side looks up your IP address in DNS, it should point to your hostname

• Anti-spam
• Troubleshooting email delivery issues

MX §

• MX records point to instances of mail servers (SMTP servers)
• Must point to A / AAAA record and not to a CNAME
• Flow
  • Send: User sends an email
  • Lookup: The MTA sends a DNS query to identify the mail server(s) for the email recipients. (MX records)
  • Establish SMTP: MTA establishes SMTP connection with mail server based on priority
  • Delivery and Fallback: If the mail server on P0, doesn’t respond, MTA will try connecting to the next mail server listed in MX record and so on.
  • Bounce: If none of the mail server are accepting email, MTA will bounce it back to the sender.

Priority and Load balance §

• Having priority will result in fallback and will ultimately increase availability. Suggested to use at least 2 MX records, with secondary and tertiary MX records for redundancy when the primary MX record fails.
• Load balance: If two mailservers have same priority, it can be used for loadbalancing instead of fallback

Other notes §

• Email providers usually provide 3rd party passwords that you can use in your mail clients, this is useful. Rather than use your main password, you can have this extra layer of protection this way. If in case you phone gets stolen, you can just revoke that password.

Links §

• DKIM: Show Your Privates | rya.nc
• https://ideas.liw.fi/rethinking-email.html
• https://craphound.com/spamsolutions.txt
• https://www.reddit.com/r/sysadmin/comments/qkai5m/spf_dkim_dmarc/
• https://www.reddit.com/r/sysadmin/comments/aph6ee/lets_talk_about_email_spoofing_and_prevention_alt/