Fighting email forgery with SPF and DKIM
Ajay, an experienced fellow from the Linux User Group of Mauritius several times advocated the importance of authenticating emails through SPF and DKIM. Last Saturday, after the Shellshock presentation it was tossed again while Alex and I were discussing a couple of stuffs regarding spams situation and email security. Alex then referred the facility he got with Mandrillapp to sign his emails. I thought, hey wait, this couldn't be easier, it's just awesome. Mandrillapp makes DKIM and SPF just a few clicks away. In fact, while he would apply his settings, Ajay did tests instantly to confirm. Yeah, usually DNS changes would take hours to propagate but magic happens with Cloudflare.
On my end, I looked for a similar facility available with Google Apps. Yup! it's been now like 2 years since my emails run on Google Apps. I registered at a time when the service was free and I happen to benefit from that.
First, let's configure SPF records to work with Google Apps. It's pretty easy. One needs only to update the DNS records with a TXT entry as follows
v=spf1 include:_spf.google.com ~all. That should be all.
gl._domainkeyand record value:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDzwSQagFPk9euu2oSz1OI2hRHQKoAtk22e3PoONueatsFoWymrc6p86e45ZXRi1j42stJFeLplAO+fcbEPaJy1HRNIAYOXqhAd8mtZcElzGdB2BWlwSbrQ4Ymi6ObdJfs/ZNIqbklEzX2tBtImuSqkBqTu1orhXeE7wqdnYY3UQIDAQABThen click Start authentication. Email headers from hacklog.in now shows emails as
dkim=pass. For testing purposes I sent an email from hacklog.in to a Hotmail account. Below are header extracts:
SPF and DKIM help your emails gain trust and be delivered to the recipient's inbox. They also thwart email forgery attempts since those would now fail SPF and DKIM. Forged emails would either be rejected or land in the spam-box.