Powerful Google developer tools for immediate impact! (2023-24 C)
What You Need to Know About Email Authentication
1. What You Should
Know About
Email
Authentication
Kurt Andersen
LinkedIn Site Reliability
@DrKurtA
2. @DrKurtA
Introduction - Kurt Andersen
Email in the days of Bitnet/DECnet/usenet/etc. gateways
Early work on hypertext for internal reference system at JPL’s Image
Processing Laboratory
Instigator for the PERL common database access framework: DBI/DBD
Early web work, bringing several organizations on line in 1994-1996
Worked on early versions of SpamAssassin, contributed to Postfix and the
initial SPF specification
Active contributor to M3AAWG since 2007, currently on the board of
directors and co-chair of the program committee
Active with IETF standards efforts: SPFbis, DMARC, DBOUND
4. @DrKurtA
Roadmap
Why should you care?
Background to the challenges of email authentication
Where does me.example mail come from?
Did my domain (me.example) send this content?
What protections should a receiver look for on me.example mail?
How do I protect me.example?
Making it all work together. . .
6. @DrKurtA
Why Is This Important?
Email is still alive and well
- Large: 80B consumer emails/day, 91% check email daily
- Growing: 3.9 Billion active email boxes => 4.9 Bn by 2017
- Preferred: 74% consumers prefer email for commercial communications
- Popular: 82% of consumers sign up for email programs on websites
Email is highly effective
- High open rates: 82% of consumers open marketing email
- Effective: 66% of consumers buy online due to email
- Efficient: Email marketing has an ROI of 4300%
7. @DrKurtA
Email Attacks
84% of all email is spam/phish
Despite best efforts, 100M Phishing messages get through every day
- 95% of all cyberattacks occur through phishing
Phishing harms consumers and brands
- Daily barrage of email based attacks costing brands $70 b/year
- 42% of consumers are less likely to buy from brands following an email
attack
8. @DrKurtA
Domain Authentication Helps Receivers
It makes it easier to know where the mail is really coming from
Stable basis for accumulating reputation
- The only people who don’t want to accrue reputation are the people
you don’t want email from anyway
Necessary to deal with the shift from IPv4 to IPv6
9. @DrKurtA
Domain Authentication Helps Senders
It keeps your mail out of the trash (assuming that it is good )
Keeps your real mail distinct from fraudulent uses of your domain
Consider it the domain equivalent of defending your brand
10. @DrKurtA
A Tale of Two Cities
Email standards – IETF RFCs govern how servers talk to each other
- 5321 – envelope
- 5322 – message (and others for MIME, etc.)
- Various RFCs for authentication protocols
- MTA “rules of the road”
MUA – how are messages presented to people
- No standards
- Some user interface optimizations
- Little real research toward usable security
11. @DrKurtA
Background and Context
Why should you care?
Background to the challenges of email authentication
Where does me.example mail come from?
Did my domain (me.example) send this content?
What protections should a receiver look for on me.example mail?
How do I protect me.example?
Making it all work together. . .
13. @DrKurtA
Message Sender Message Receiver Notes
TCP connect on port 25 Standard 3-way
handshake
220 testhost.localdomain ESMTP
Postfix
Connection banner
EHLO test.example.com 250-testhost.localdomain
250-SIZE 10485760250
250 DSN
Receiver announces
capabilities (EHLO) or
just “OK” (HELO)
MAIL FROM:
<someone@example.com>
250 2.1.0 Ok Envelope sender
RCPT TO:
<someone_else@example.org>
250 2.1.5 Ok Envelope recipient
DATA 354 End data with
<CR><LF>.<CR><LF>
<message with headers goes here> Message
. 250 2.0.0 Ok: queued as
0FC77B8BEDC
End of message
QUIT 221 2.0.0 Bye
Connection closed receiver
16. @DrKurtA
Connecting the Analogy
Snail Mail Email Ifs, Ands & Buts
Postmark • IP address of connection
• PTR record (sometimes called rDNS)
• HELO name
• Cost of admission
• Frequently required
• sometimes with FCrDNS too
• Often unrelated to anything
Envelope From aka “Mail From”/ “MFrom” / “5321.From” • Becomes the “Return-Path”
header
• Named from RFC5321 which
defines the envelope for email
• Usually null for system messages
Envelope To aka “Rcpt To” / “Recipient” / “5321.To” Used for delivery, but not seen by
recipient
Letter From aka “Header From” / “HFrom” / “5322.From” • Display Name – seen, free text
• Email Address – often unseen
Letter To aka “Header To” / “Recipient” / “5322.To” optional
Signature none
17. @DrKurtA
First Axiom of Email Reputation
You cannot say good things about
yourself,
only neutral or bad things.
– John Levine
18. @DrKurtA
SPF
Why should you care?
Background to the challenges of email authentication
Where does me.example mail come from?
Did my domain (me.example) send this content?
What protections should a receiver look for on me.example mail?
How do I protect me.example?
Making it all work together. . .
19. @DrKurtA
Where does “me.example” mail come from?
Sender Policy Framework, aka, SPF RFC 7208
ADMD (ADministrative Management Domain) assertion about the
source(s) of email for a domain
Published in DNS as a TXT record
20. @DrKurtA
What does SPF check?
Snail Mail Email Ifs, Ands & Buts
Postmark • IP address of connection
• PTR record (sometimes called rDNS)
• HELO name
• Cost of admission
• Frequently required
• sometimes with FCrDNS too
• Often unrelated to anything
Envelope From aka “Mail From”/ “MFrom” / “5321.From” • Becomes the “Return-Path”
header
• Named from RFC5321 which
defines the envelope for email
• Usually null for system messages
Envelope To aka “Rcpt To” / “Recipient” / “5321.To” Used for delivery, but not seen by
recipient
Letter From aka “Header From” / “HFrom” / “5322.From” • Display Name – seen, free text
• Email Address – often unseen
Letter To aka “Header To” / “Recipient” / “5322.To” optional
Signature none
21. @DrKurtA
Particulars of an SPF record
v=spf1 {list of qualifiers + mechanisms}
Qualifiers:
Mechanisms:
+ PASS
(default)
– HARD FAIL
? NEUTRAL ~ SOFT FAIL
ip4 ip6 a
mx all exists
include redirect ptr (deprecated)
22. @DrKurtA
SPF Macros
Allows mechanism definition based on IP or various parts of the
5321.From (MFrom) address
Not all receivers support all macros which are defined in the spec
Some receivers ignore macro-laden expressions
Use with care
24. @DrKurtA
Evaluating SPF
Starting with the domain of the 5321.From (MFrom), look up the TXT record for that
domain to find the SPF record
- If 5321.From is empty, use the domain listed in the HELO/EHLO identity
If there is no record, the result is NEUTRAL
If there is an SPF record, test each mechanism from left to right stopping after a
match is found
- The qualifier determines the result of the match
- Most SPF records end with “–all” or “~all” to provide an unambiguous result
26. @DrKurtA
SPF and Third Parties
A domain owner can authorize third party sources with “include”
But…
- SPF does not support intermediaries in the delivery process
- Intermediaries account for ~5% of email received at several large
mailbox providers
27. @DrKurtA
SPF Gotchas
DNS lookups, including embedded “include:” are limited to 10 queries
- Put non-DNS mechanisms first and put highest volume sources first
Use “~all” instead of “–all”, because some people on the internet
will drop email if SPF fails and “–all” is in place.
Record length can oddly matter. Try to fit SPF into a UDP packet
(~500 bytes).
28. @DrKurtA
More SPF Gotchas
DNS time-to-live (TTL) will affect how quickly changes can be made
Publish SPF records for sub-domains (or use wildcards)
- SPF does not “discover” SPF records if they’re not present
Use tools to check your SPF record
- Tools separate humans from most other creatures.
- Safe to say: Smart creatures use tools.
Be careful what you “include” – other records may be broken or wrong
29. @DrKurtA
SPF Q&A
Why should you care?
Background to the challenges of email authentication
Where does me.example mail come from?
Did my domain (me.example) send this content?
What protections should a receiver look for on me.example mail?
How do I protect me.example?
Making it all work together. . .
30. @DrKurtA
DKIM . . .
Why should you care?
Background to the challenges of email authentication
Where does me.example mail come from?
Did my domain (me.example) send this content?
What protections should a receiver look for on me.example mail?
How do I protect me.example?
Making it all work together. . .
31. @DrKurtA
What is DKIM and what does it do?
DKIM == Domain Keys Internet Mail
Public key crypto to sign a message: body + selected headers
by an ADMD
Private key held by the ADMD
Public key published in DNS by the ADMD based on a “selector”
33. @DrKurtA
Finding the DNS record for DKIM
Look for a TXT record at <s=>._domainkey.<d=>
$dig txt echoe._domainkey.yahoogroups.com +short
"k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDmsJgfzmZfV10FE
4jZ9NAX62SchSffsRHR/ng8TfS8YT33pdMMcUgthGXCw+n7xZOYyYvbII2OemMv
0quJLUZfJFfJj2QSwI49qO3K04cUv0pNFt3/ugWzKl65Hgx1pLAoux5hdtJAmUJ
KM+kaaLaG6nR/qJT2iALWAGqoB2UhOQIDAQAB"
34. @DrKurtA
What does DKIM check?
Snail Mail Email Ifs, Ands & Buts
Postmark • IP address of connection
• PTR record (sometimes called rDNS)
• HELO name
• Cost of admission
• Frequently required
• sometimes with FCrDNS too
• Often unrelated to anything
Envelope From aka “Mail From”/ “MFrom” / “5321.From” • Becomes the “Return-Path”
header
• Named from RFC5321 which
defines the envelope for email
• Usually null for system messages
Envelope To aka “Rcpt To” / “Recipient” / “5321.To” Used for delivery, but not seen by
recipient
Letter From aka “Header From” / “HFrom” / “5322.From” • Display Name – seen, free text
• Email Address – often unseen
Letter To aka “Header To” / “Recipient” / “5322.To” optional
Signature none DKIM – sort of
35. @DrKurtA
DKIM and Third Parties
A domain owner can authorize third party sources several ways
- providing private keys to trusted third parties
- publishing the public keys from trusted third parties
- delegating (sub)domains to trusted third parties
- either full delegation or
- via CNAME or DNAME assignment mechanisms
But…
- Don’t use the same key across all of your subdomains
36. @DrKurtA
DKIM Gotchas
Weak Keys: 1024 bits is the minimum acceptable strength at this time
Typos in DNS records
DKIM does not work everywhere
- Implementation bugs
- Gateways that break the signatures
37. @DrKurtA
DKIM Best Practices
Key rotation: Essential to good security
- Rotate all keys at least twice a year
Automate Everything!
- Far less chance of errors
- “Push a button” to rotate keys if keys get compromised
- Automate everything includes:
- Key generation, publication, rotation – inhouse and outsourced
38. @DrKurtA
DKIM Q&A
Why should you care?
Background to the challenges of email authentication
Where does me.example mail come from?
Did my domain (me.example) send this content?
What protections should a receiver look for on me.example mail?
How do I protect me.example?
Making it all work together. . .
39. @DrKurtA
DMARC . . .
Why should you care?
Background to the challenges of email authentication
Where does me.example mail come from?
Did my domain (me.example) send this content?
What protections should a receiver look for on me.example mail?
How do I protect me.example?
Making it all work together. . .
40. @DrKurtA
What is DMARC?
DMARC = Domain-based Message Authentication, Reporting, and
Conformance
- Authentication – Leverage existing technology (DKIM and SPF)
- Reporting – Gain visibility with aggregate and per-failure reports
- Conformance – Standardize identifiers, provide flexible policy
actions
RFC7489 (Informational)
41. @DrKurtA
How DMARC works. . .
Starting from the 5322.From (HFrom) domain
- look up the TXT record for _dmarc.<domain>
- if that does not exist, lookup _dmarc.<org domain>
Check for authentication success + alignment (HFrom domain):
A. If the SPF result was “PASS” and the SPF domain matches
B. If any of the DKIM signatures validate and the DKIM domain matches
If (A or B), then DMARC PASS, else DMARC FAIL and the
resulting action is based on the DMARC record
42. @DrKurtA
Basics of the DMARC record
$ dig txt _dmarc.yahoogroups.com +short
"v=DMARC1; p=none; pct=100; rua=mailto:dmarc-
yahoo-rua@yahoo-inc.com;”
$ dig txt _dmarc.paypal.com +short
"v=DMARC1; p=reject; rua=mailto:d@rua.agari.com;
ruf=mailto:dk@bounce.paypal.com,mailto:d@ruf.agari.
com
v version
p policy
sp subdomain policy
pct apply to X% of mail
(defaults to 100%)
rua Reporting URI for Aggregate
reports
ruf Reporting URI for Failure
reports
Lesser use:
adkim, aspf alignment policy for
DKIM, SPF (defaults to “relaxed”)
43. @DrKurtA
What is an “Organizational Domain”?
For more information see:
PublicSuffix.org and
the IETF DBOUND working group
From Domain Organizational Domain
host.a.b.c.example.com example.com
ses.amazon.co.uk amazon.co.uk
a13-14.smtp-
out.amazonses.com
amazonses.com
www.perkins.pvt.k12.ma.us perkins.pvt.k12.ma.us
44. @DrKurtA
What do the three DMARC policies mean?
none
quarantine
reject
local policy
45. @DrKurtA
What does DMARC verify?
Snail Mail Email Ifs, Ands & Buts
Postmark • IP address of connection
• PTR record (sometimes called rDNS)
• HELO name
• Cost of admission
• Frequently required
• sometimes with FCrDNS too
• Often unrelated to anything
Envelope From aka “Mail From”/ “MFrom” / “5321.From” • Becomes the “Return-Path”
header
• Named from RFC5321 which
defines the envelope for email
• Usually null for system messages
Envelope To aka “Rcpt To” / “Recipient” / “5321.To” Used for delivery, but not seen by
recipient
Letter From aka “Header From” / “HFrom” / “5322.From” • Display Name – seen, free text
• Email Address – often unseen
Letter To aka “Header To” / “Recipient” / “5322.To” optional
Signature none DKIM domain
46. @DrKurtA
The Cousin Domain Problem
Look-alike or look-similar domains:
bankofamerica.com vs. banckofamerica.com
linkedIn.com vs. linkedln.com (first one is linkedIn)
Unicode trickery: “Joe User” <jοe@google.cοm>
Puny-code trickery: alice@岍岊岊岅岉岎.com
(many MUAs will display alice@xn--citibank.com)
DMARC only protects exact matches (or subdomains thereof)
47. @DrKurtA
DMARC Reporting – Aggregate Reports (rua)
• Each report covers one 5322.From domain
• You should get one from each supporting mailbox provider that sees email
with your From domain
• Daily by default
XML Format
• Organized by sending IP address (as seen by receiver!)
• Contains
• Authentication Results (DKIM, SPF)
• Alignment Results
• Policy actions taken
• Reasons for not taking policy actions
Just publish a “p=none” record to start receiving these
48. @DrKurtA
DMARC Spec – Reporting
XML Format
The policy that was found by
the receiver:
<policy_published>
<domain>facebookmail.com</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>reject</p>
<sp>none</sp>
<pct>100</pct>
</policy_published>
50. @DrKurtA
DMARC Reporting – Failure Reports (ruf)
• One per DMARC failure
• AFRF or IODEF formats
• Should at least include ‘call-to-action’ URIs
• Throttling
• Privacy considerations
• Might be redacted
• May not be supported by all receivers that otherwise support DMARC
51. @DrKurtA
Making sense of DMARC reports
Do It Yourself
- Various open source tools and libraries are available
Outsource
- Various vendors are available
For more specifics, consult http://dmarc.org/resources
52. @DrKurtA
DMARC Gotchas
DMARC relies on SPF and DKIM – if those aren’t done right, DMARC will
not work either
Separate your employee mail stream from your product mail stream (use
different domains so you can have different policies)
If you delegate a domain, watch out for vendors over-riding your top-level
policies
Expect to find mail streams that you did not know about!
53. @DrKurtA
DMARC Q&A
Why should you care?
Background to the challenges of email authentication
Where does me.example mail come from?
Did my domain (me.example) send this content?
What protections should a receiver look for on me.example mail?
How do I protect me.example?
Making it all work together. . .
54. @DrKurtA
Protecting “me.example”. . .
Why should you care?
Background to the challenges of email authentication
Where does me.example mail come from?
Did my domain (me.example) send this content?
What protections should a receiver look for on me.example mail?
How do I protect me.example?
Making it all work together. . .
55. @DrKurtA
Protecting Content From Prying (5)Eyes
Invest in properly configured TLS
- Email is an interface to your company and product just as much as
your website
- Use certificates signed by reputable CAs or DANE, not self-signed
ones
- Make sure your cipher suite list disallows weak and compromised
ciphers
- Implement all of the appropriate security controls to prevent
downgrade attacks
56. @DrKurtA
The Achilles Heel of the Internet
DNS
Built on trust, just like SMTP was
In an untrustworthy world – security is critical
- Invest in understanding DNSSEC to make an informed decision for
your domain(s)
- Invest in understanding DANE – an alternative to 3rd party CAs
http://www.internetsociety.org/deploy360/start/
57. @DrKurtA
Protecting “me.example”. . .
Why should you care?
Background to the challenges of email authentication
Where does me.example mail come from?
Did my domain (me.example) send this content?
What protections should a receiver look for on me.example mail?
How do I protect me.example?
Making it all work together. . .
58. @DrKurtA
Protecting Parked or No Email Domains
No mail is sent from this domain
- SPF: v=spf1 -all
No mail is received by this domain
- “Null” MX: “MX 0 .”
But tell me about any attempts to abuse this domain
- DMARC: v=DMARC1; p=reject; rua=report@example.com
Example: gmail.co (Columbian TLD mis-spelling for gmail.com):
- v=spf1 -all
- v=DMARC1; p=reject; rua=mailto:mailauth-reports@google.com
59. @DrKurtA
Protecting “me.example”. . .
Why should you care?
Background to the challenges of email authentication
Where does me.example mail come from?
Did my domain (me.example) send this content?
What protections should a receiver look for on me.example mail?
How do I protect me.example?
Making it all work together. . .
62. @DrKurtA
3rd Party Deployment Profiles
Controlled – The Domain Owner fully
controls their own DNS, and wants as much
control over their email as possible.
Authorized – The Domain Owner lets the 3rd
party dictate the content of some DNS
records, while still retaining some operational
control.
Delegated – The Domain Owner delegates
control of some or all of their DNS to a 3rd
party, and wants to be mostly hands-off with
their email.
Hosted – The Domain Owner allows the 3rd
party to handle everything, and has little
control
63. @DrKurtA
3rd Party Deployment Profiles – Controlled
The Domain Owner retains control of the domain or subdomain, provides DKIM signing
key(s) to 3rd party/ies and publishes the public key(s), and includes the appropriate
information in their SPF record.
Pro
• This scenario allows 3rd parties to send as the organizational domain if desired
• The Domain Owner retains operational control
Cons
• Coordination between the domain owner and the 3rd party mailer(s) is required to ensure
proper DKIM key rotation, accurate SPF records, etc.
• Risk of coordination overhead/issues increases as the number of bilateral relationships
increase for domain owners and vendors.
64. @DrKurtA
Contractual points:
• Process for DKIM key rotation. Obligations of each party, including
testing
• SPF record requirements and process for adding new hosts
3rd Party Deployment Profiles – Controlled
65. @DrKurtA
Similar to Controlled Profile, except the 3rd party creates the DKIM key pair(s) and
generally takes a more active role in dictating record content. This approach is
useful for Domain Owners where a different 3rd party is providing DNS and other
services for the domain.
Pros
• Can streamline provisioning for the 3rd party (but only the first one!)
• One less task for the Domain Owner
Cons
• Can create additional management issues for Domain Owners who use multiple
3rd parties
• Possible additional contractual point for key strength requirements
3rd Party Deployment Profiles – Authorized
66. @DrKurtA
The Domain Owner delegates a subdomain to 3rd party mailer and relies on
contractual relationship to ensure appropriate SPF records, DKIM signing, and
DMARC records
Pros
• Reduces Domain Owner implementation issues to mostly contractual.
• The 3rd party is responsible for SPF records, DKIM signing and publishing, etc.
• Domain owner may still be responsible for ensuring Identifier Alignment.
Cons
• The Domain Owner potentially gives up day to day control,
flexibility/responsiveness and visibility into operations and conformance.
3rd Party Deployment Profiles – Delegated
67. @DrKurtA
Contractual points
• Creation and maintenance of SPF, DKIM and DMARC records
• (At least every 6 months) Rotation of DKIM keys and minimum length of key
(1024 or larger)
• Investigation of DMARC rejections
• Handling of DMARC Reports
• Requirements for reporting back to the Domain Owner
• Indemnification (if any) for mail lost due to improper records or signatures.
3rd Party Deployment Profiles – Delegated
68. @DrKurtA
The 3rd party is also providing DNS, webhosting, etc for the Domain Owner
and makes the process mostly transparent to the domain owner
Pro
• Very easy for less sophisticated Domain Owners.
• Can be mostly automated by the 3rd party.
Con
• The domain owner is significantly more dependent on the 3rd party.
• Can make interactions with more than one 3rd party impossible.
3rd Party Deployment Profiles – Hosted
71. @DrKurtA
Step 1: Categorize the IPs in the Aggregate Report
• Your Infrastructure
• Authorized 3rd Parties
• Unauthorized 3rd Parties *
* You should consider everything an Unauthorized 3rd Party by
default; until proven otherwise
Report Processing and Analysis – Step 1
72. @DrKurtA
Step 2: Infrastructure Auditing
For both your Infrastructure and Authorized 3rd Parties
• Identify owner(s)
• Determine LOE for Deploying Domain Authentication
• Determine LOE for Identifier Alignment
• Evaluate or prepare business case / justification
Report Processing and Analysis – Step 2
73. @DrKurtA
Step 3: Identify Malicious Email
Research Unauthorized 3rd Parties and label the Abusers
• Use public data sources
• Vendor services
• Look out for known failure cases (SPF/DKIM/DMARC)
• Failure reports
Report Processing and Analysis – Step 3
75. @DrKurtA
Consider:
• Phish vs. False Positives
• Phish vs. Total Aligned Email
If there is no Phish, you don’t have a Domain Spoofing problem
(at this time)
Report Processing and Analysis – Step 4
Phish Unaligned Email From Abusers
Definite False
Positives
Unaligned Email from Your Infrastructure +
Unaligned Email from Authorized 3rd parties
Potential False
Positives
Unaligned Email from Unauthorized 3rd parties
77. @DrKurtA
Step 1: Verify Authentication and Alignment for all of your
Infrastructure and all Authorized 3rd Parties
Step 2: Update your record to:
p=quarantine; pct=10;
Do not:
• Skip ‘quarantine’ and go straight to ‘reject’
• Change the policy action from ‘none’ without setting a ‘pct’
Initial Policy Ramp-up
78. @DrKurtA
Initial Policy Ramp-up
Step 3: Monitor your reports for issues and address them.
Make a ‘go forward / go back’ decision.
Step 4: Update your record to increase the ‘pct’.
Step n…: Rinse and repeat until you get to ‘pct=100’.
81. @DrKurtA
Ongoing Monitoring
•Categorize new IPs in Aggregate reports
• Your Infrastructure
• Authorized 3rd Parties
• Unauthorized 3rd Parties
• Abusers
•Reassess the Threat Level
• Increases in phish
• Changes in unaligned email volume
• Make changes accordingly
• Takedowns or other phish responses
82. @DrKurtA
Ongoing Monitoring
Be on the look out for:
• Infrastructure changes
• New products / new subdomains
• New authorized 3rd parties
• Mergers and acquisitions
83. @DrKurtA
Protecting “me.example” – Q&A
Why should you care?
Background to the challenges of email authentication
Where does me.example mail come from?
Did my domain (me.example) send this content?
What protections should a receiver look for on me.example mail?
How do I protect me.example?
Making it all work together. . .
84. @DrKurtA
Take Home Points
In-house
- If email is important to your company and even more so if it is important to your
product – email authentication is critical invest in doing it right and keeping it up
to date
Out-sourced
- Understand how your 3rd parties manage SPF (include values)
- Understand how they handle DKIM (pay extra if needed to get your own keys)
- Key rotation + length
- Understand how they work with DMARC and DMARC reports
85. @DrKurtA
Resources – Email Domain
Authentication http://dmarc.org/resources
- Articles, Tutorials and Videos Online materials explaining DMARC and related or
underlying email authentication technologies.
- Code and Libraries Modules and packages that you can deploy or build into
programs that implement DMARC.
- Deployment Tools Tools and services you can use when deploying DMARC.
Everything from DMARC DNS record builders, to message validators / reflectors
that help you determine if DKIM/DMARC/SPF is working as expected.
- Products and Services Products and services that can assist you in deploying
DMARC and related technologies. Everything from hosted email services, to
email security firms, to mailing list management software.
http://dmarc.io
87. @DrKurtA
Points to Ponder
This is not “fire-and-forget”
In a dynamic environment, protecting your domain requires
constant vigilance
What is your “bus number” for this critical activity?