The Importance of DMARC for Australian Organisations: Business Benefits and Requirements

In an era where email remains the primary communication channel for organisations, ensuring its security has never been more critical. Cybercriminals increasingly exploit email to launch phishing attacks, impersonate businesses, and steal sensitive information. For Australian organisations, deploying DMARC (Domain-based Message Authentication, Reporting, and Conformance) is essential not only for cybersecurity but also for maintaining business continuity, reputation, and regulatory compliance.

Understanding DMARC

DMARC is an email authentication protocol that helps organisations protect their domains from being used in malicious activities such as phishing and spoofing. It works by aligning SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) records with the organisation's email domain and provides domain owners with control over how unauthenticated messages are handled.

Business Benefits of DMARC for Australian Organisations

1. Protecting Brand Reputation

   Brand trust is paramount for Australian businesses, especially in industries like finance, healthcare, and e-commerce, where customer data and transactions are critical. A compromised email domain can lead to customers receiving fraudulent emails, damaging trust and harming the organisation's reputation.

   DMARC helps prevent domain spoofing, ensuring that only legitimate emails reach customers and stakeholders.

2. Improving Email Deliverability

   A properly configured DMARC policy enhances email deliverability by verifying the authenticity of emails sent from your domain. Internet Service Providers (ISPs) are more likely to deliver authenticated emails to the inbox rather than flagging them as spam or rejecting them outright.

   For Australian businesses engaged in global trade, improved deliverability ensures seamless communication with partners and customers worldwide.

3. Reducing Cybersecurity Risks

   DMARC mitigates phishing attacks by blocking unauthorised use of your domain in emails. This reduces the likelihood of financial losses, legal implications, and data breaches caused by successful phishing campaigns targeting employees or customers.

4. Insights Through Reporting

   DMARC provides detailed reports on email authentication activity. These reports allow organisations to:

   • Monitor who is sending emails on behalf of their domain.
   • Detect and respond to potential misuse in real-time.
   • Gain insights into their email ecosystem for optimisation.

5. Enhancing Regulatory Compliance

   Australia’s regulatory environment increasingly emphasises the need for robust cybersecurity measures. Adopting DMARC helps organisations align with requirements outlined in the Australian Privacy Act, Essential Eight Strategies to Mitigate Cybersecurity Incidents, and industry-specific standards such as APRA CPS 234 for financial institutions.

Business Requirements for DMARC Implementation

1. Setting Up SPF and DKIM

   DMARC requires a foundation of SPF and DKIM configurations. Australian organisations should:

   • Publish SPF records to specify authorised email servers.
   • Implement DKIM to add a cryptographic signature to emails for integrity verification.

2. Publishing a DMARC Record

   A DMARC record is a DNS TXT entry that specifies the organisation's policy for handling unauthenticated emails (none, quarantine, or reject). Initially, a policy of “none” allows organisations to monitor email traffic without impacting delivery.

3. Analysing DMARC Reports

   Analysing aggregate and forensic reports is vital for understanding domain activity and detecting potential abuse. Using DMARC analysis tools can streamline this process and provide actionable insights.

4. Moving to Enforcement

   Once confident in the authentication configurations, organisations should move to stricter DMARC policies (“quarantine” or “reject”) to actively block unauthenticated emails.

5. Ongoing Maintenance

   Maintaining DMARC involves regular monitoring, updating SPF and DKIM records as necessary, and ensuring new email systems or vendors align with DMARC policies.

Conclusion

For Australian organisations, DMARC is more than a technical safeguard; it is a business enabler that fosters trust, improves communication reliability, and safeguards against growing cyber threats. By implementing DMARC, businesses can not only protect their brand and customers but also meet regulatory obligations and strengthen their position in an increasingly competitive market.

The benefits of DMARC—from enhanced deliverability to reduced cyber risks—make it a must-have in any organisation’s cybersecurity strategy. As email threats evolve, DMARC provides Australian businesses with a robust framework to secure their communications and build lasting trust with stakeholders.

Understanding Email Deliverability and the Dangers of SPF Misconfigurations: Lessons from the MikroTik Botnet Attack

Email deliverability is a cornerstone of successful communication in today’s digital world. However, its effectiveness hinges on properly configured email authentication protocols, such as the Sender Policy Framework (SPF). Missteps in SPF configurations can open the floodgates for abuse, as highlighted in the recent MikroTik botnet attack, which exploited misconfigured SPF DNS records to propagate malware. This post unpacks the implications of SPF misconfigurations, particularly the peril of using +all in SPF records, and draws parallels to this alarming incident.

---

SPF and the Role It Plays in Email Authentication

SPF is a DNS-based email authentication protocol that helps domain owners specify which mail servers are authorized to send emails on their behalf. By publishing an SPF record in their domain’s DNS settings, administrators create a list of permitted IP addresses. When an email is received, the recipient's mail server checks the sender's IP against this list. Based on the SPF evaluation (Pass, Fail, Neutral, or SoftFail), the server determines whether the email is legitimate.

A correctly configured SPF record strengthens a domain’s email reputation, minimizes spam, and prevents spoofing. However, misconfigurations can have the opposite effect.

---

The MikroTik Botnet Incident: A Case Study

A recent report from BleepingComputer revealed how attackers exploited misconfigured SPF records to spread malware. The botnet, powered by compromised MikroTik routers, sent phishing emails with malicious attachments. The attackers abused improperly configured SPF records, which either lacked strict enforcement or explicitly allowed all servers to send on behalf of a domain.

This misconfiguration enabled malicious actors to impersonate legitimate domains, bypassing email security checks and delivering their payloads to unsuspecting victims. Once recipients opened the attachments, their systems were infected, and the botnet grew larger, perpetuating a vicious cycle.

---

The Danger of +all in SPF Records

At the heart of the SPF misconfiguration issue lies the improper use of +all. In an SPF record, +all effectively authorizes any mail server to send emails on behalf of the domain. This is akin to leaving the door wide open and inviting both legitimate and malicious traffic.

For example, consider this SPF record:

v=spf1 +all

This configuration tells receiving mail servers that all IP addresses are allowed to send emails for the domain. While this approach eliminates deliverability issues caused by overly restrictive policies, it undermines the very purpose of SPF, leaving the domain vulnerable to abuse.

Instead, administrators should use restrictive mechanisms like -all (fail) or ~all (soft fail) to enforce stricter authentication:

• -all: Emails from unauthorized servers are rejected outright.
• ~all: Emails from unauthorized servers are marked as suspicious but may still be delivered.

---

Lessons Learned and Best Practices

1. Audit Your SPF Records Regularly
   Review SPF configurations to ensure only trusted IP addresses and mail servers are listed. Avoid using +all or overly permissive settings.

2. Implement Complementary Email Authentication Protocols
   While SPF is crucial, it should be combined with other protocols like DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance) for a layered defense.

3. Monitor for Abnormal Email Activity
   Use monitoring tools to detect spikes in email traffic or unusual patterns that could indicate a compromise.

4. Secure Network Infrastructure
   The MikroTik incident underscores the importance of securing routers and other network devices to prevent them from being hijacked for malicious purposes.

5. Educate End-Users
   Train employees and users to recognize phishing emails and avoid interacting with suspicious attachments or links.

---

Conclusion

The MikroTik botnet attack serves as a cautionary tale about the consequences of SPF misconfigurations, particularly the misuse of +all. Properly configuring SPF records, combined with a comprehensive email authentication strategy, is critical to safeguarding email deliverability and protecting against abuse. Organizations must remain vigilant, regularly audit their email infrastructure, and adopt robust cybersecurity practices to ensure that their communication channels remain secure and trustworthy.

The Importance of High Availability for Postfix in Large On-Premises Email Relays

In environments with high email traffic, such as universities, ensuring high availability (HA) for email relay infrastructure is paramount. Reliable email delivery impacts communication, operations, and the academic experience. Open-source tools like Postfix, combined with modern load balancing and failover solutions, can provide a robust, scalable email relay system. This article explores how Postfix can be configured for HA in such scenarios, using Debian as the base operating system.

Understanding High Availability in Email Relays

High availability ensures continuous operation of email relay services even during server failures or maintenance. For universities, where thousands of emails are sent daily from various departments, research groups, and administrative offices, disruptions in email flow can lead to significant operational challenges. Configuring Postfix in an HA setup ensures:

1. Redundancy: Eliminating single points of failure.
2. Load Balancing: Distributing email traffic evenly across multiple Mail Transfer Agents (MTAs).
3. Failover: Seamless transition during server downtimes or network issues.

Setting Up Multiple MTAs with Postfix on Debian

Postfix, known for its flexibility and performance, is an ideal choice for handling unauthenticated email relay within a university’s internal network. Here’s how you can set up multiple MTAs:

1. Install Postfix on Debian:

   apt update && apt install postfix
   

   Configure Postfix to operate as a relay host during installation.

2. Restrict Access to LAN IPs: In the Postfix configuration file /etc/postfix/main.cf, restrict relay permissions to LAN IPs:

   mynetworks = 192.168.0.0/16 [::1]/128
   relay_domains = *
   smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination
   

3. Enforce TLS 1.3 to Smarthosts: Configure Postfix to communicate with smarthosts over TLS 1.3:

   smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, TLSv1.2, TLSv1.3
   smtp_tls_security_level = encrypt
   smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
   

4. Reverse DNS Setup: Ensure all university IPs have reverse DNS entries pointing to meaningful hostnames to avoid being flagged as spam.

5. DKIM Signing and SPF Records:

   • Use smarthosts to apply DKIM signatures to outgoing emails.
   • Ensure the smarthost IPs are listed in the university domain’s SPF record.

     v=spf1 ip4:203.0.113.0/24 -all
     

Load Balancing with HAProxy

To distribute traffic among multiple MTAs, HAProxy acts as a load balancer:

1. Install HAProxy:

   apt install haproxy
   

2. Configure HAProxy: Create /etc/haproxy/haproxy.cfg:

   global
       log /dev/log local0
       maxconn 2000
   
   defaults
       log global
       option tcplog
       timeout connect 5000ms
       timeout client 50000ms
       timeout server 50000ms
   
   frontend smtp_frontend
       bind *:25
       mode tcp
       default_backend smtp_backend
   
   backend smtp_backend
       mode tcp
       balance roundrobin
       server mta1 192.168.1.2:25 check
       server mta2 192.168.1.3:25 check
       server mta3 192.168.1.4:25 check
   

   Restart HAProxy to apply the changes.

Adding Failover with Keepalived

Keepalived ensures continuous availability by managing virtual IPs with failover and failback capabilities.

1. Install Keepalived:

   apt install keepalived
   

2. Configure Keepalived: Create /etc/keepalived/keepalived.conf:

   vrrp_instance VI_1 {
       state MASTER
       interface eth0
       virtual_router_id 51
       priority 100
       advert_int 1
       authentication {
           auth_type PASS
           auth_pass secret
       }
       virtual_ipaddress {
           192.168.1.100
       }
   }
   

   Configure similar instances on other servers with adjusted state and priority values.

3. Restart Keepalived:

   systemctl restart keepalived
   

End-to-End Email Relay Workflow

1. Email Submission: Devices within the university LAN submit emails to the Postfix servers via HAProxy.

2. Relay and Encryption: Postfix enforces TLS 1.3 and relays the email to configured smarthosts.

3. DKIM Signing and SPF Validation: Smarthosts sign outgoing emails with DKIM, and their IPs align with the SPF records.

4. Recipient Delivery: The smarthosts send the emails to their final destinations.

Benefits of the Architecture

• Resilience: Redundant MTAs and load balancing minimize downtime.
• Security: TLS enforcement and compliance with email authentication protocols reduce the risk of spoofing and data breaches.
• Scalability: HAProxy and Keepalived allow seamless addition of MTAs to handle increased traffic.

By combining Postfix, HAProxy, and Keepalived, universities can build a high-performance, resilient email relay system that ensures reliable communication across campus.

Understanding DMARC: Protecting Your Domain with SPF, DKIM, and Alignment

Email security is a crucial element in ensuring that your communication remains trusted and your brand's reputation intact. DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a powerful protocol that builds on two other essential email authentication methods: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). Together, they create a robust defense against email spoofing and phishing attacks. But how does DMARC work, and what is its relationship with SPF and DKIM?

Let’s break it down.

---

The Foundations: SPF and DKIM

SPF (Sender Policy Framework)

SPF is an email authentication method that allows domain owners to specify which mail servers are authorized to send emails on their behalf.

Here’s how SPF works:

1. The domain owner publishes an SPF record in their DNS.
2. When an email is sent, the receiving server checks the SPF record to ensure the sending server’s IP address matches what’s listed in the DNS.
3. If it matches, the SPF check passes; if not, it fails.

Example Scenario:
Imagine your domain, example.com, authorizes only Mail Server A to send emails. If someone tries to send an email from example.com using Mail Server B, the SPF check will fail, alerting the recipient that the email may not be legitimate.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to your email headers to verify that the message has not been altered in transit and that it originates from an authorized domain.

Here’s how DKIM works:

1. The domain owner generates a public-private key pair and publishes the public key in their DNS.
2. When sending an email, the mail server signs the email with the private key.
3. The receiving server retrieves the public key from DNS to validate the signature.

Example Scenario:
If an email’s signature matches the domain's public key, it confirms that the message is genuine and hasn’t been tampered with.

---

The Role of DMARC

While SPF and DKIM are effective on their own, they have a critical limitation: neither verifies whether the domain being authenticated aligns with the one visible to the email recipient (the “From” address). This gap allows bad actors to exploit unauthenticated subdomains or domains and impersonate trusted brands.

DMARC addresses this by introducing alignment and enforcing policies that dictate how email servers handle messages that fail SPF or DKIM checks.

Alignment: The Key to DMARC

Alignment ensures that the domain used to pass SPF or DKIM checks matches the domain in the "From" header of the email. There are two types of alignment:

1. SPF Alignment:

   • Strict Alignment: The domain in the SPF check (the MAIL FROM or Return-Path domain) must exactly match the domain in the "From" address.
   • Relaxed Alignment: The domains must share the same organizational domain (e.g., mail.example.com aligns with example.com).

2. DKIM Alignment:

   • Strict Alignment: The domain in the DKIM signature must exactly match the domain in the "From" address.
   • Relaxed Alignment: The domains must share the same organizational domain.

DMARC Policies

DMARC allows domain owners to specify what action receiving servers should take when a message fails authentication checks:

• None: No action is taken; used for monitoring.
• Quarantine: Messages failing authentication are sent to the spam/junk folder.
• Reject: Messages failing authentication are outright rejected.

---

Why SPF and DKIM Alone Aren’t Enough

Without DMARC, even if a message passes SPF or DKIM, it can still appear to come from an unauthorized sender because alignment isn’t enforced. For example:

• SPF Only: A malicious actor could send an email with a forged "From" address while using an authorized sending server listed in the SPF record.
• DKIM Only: The email could pass DKIM verification, but the domain in the DKIM signature might not align with the "From" address.

DMARC eliminates these vulnerabilities by requiring SPF or DKIM to pass and ensuring alignment.

---

The Prerequisites for Passing DMARC

To pass DMARC, a message must meet these conditions:

1. Pass SPF or DKIM checks (or both).
2. Achieve domain alignment with the "From" address for at least one method (SPF or DKIM).

Example:

• An email is sent from sales@example.com.
• SPF passes because the sending server is authorized in the SPF record for example.com.
• DKIM passes because the message is signed with a private key matching example.com.
• Alignment is achieved for both SPF and DKIM because the authenticated domains match the "From" address (example.com).

Result: The email passes DMARC.

---

Conclusion: Why DMARC Matters

DMARC is the glue that binds SPF and DKIM together, creating a comprehensive framework for email authentication. By enforcing alignment, DMARC ensures that only legitimate emails are delivered to recipients, protecting your domain from spoofing and phishing.

For businesses, implementing DMARC is not just about security—it’s about preserving trust and reputation in every email you send. By publishing a DMARC policy, monitoring results, and gradually moving from "none" to "quarantine" or "reject," you can build a robust email authentication strategy that stands the test of evolving threats.

Ready to protect your domain? Start by evaluating your SPF and DKIM setup, align them with your "From" address, and deploy DMARC with confidence. Your email deliverability—and your brand—will thank you.

Understanding SPF and the Role of SPF Macros in Email Deliverability

Email deliverability is critical for businesses and individuals to ensure their messages reach the intended recipients' inboxes and avoid being marked as spam. One of the key elements in securing email systems and improving deliverability is the implementation of Sender Policy Framework (SPF). SPF is a protocol that helps prevent email spoofing and phishing by allowing domain owners to specify which mail servers are permitted to send emails on their behalf. In this article, we explore SPF and how SPF macros are used, with a look at some market solutions such as Valimail, Proofpoint Hosted SPF, and the Expurgate GitHub project with rbldnsd.

What is SPF?

Sender Policy Framework (SPF) is an email authentication method that verifies if an email message comes from an authorized mail server. When a mail server receives an email, it checks the SPF record of the sender's domain to see if the sending mail server's IP address matches the IP addresses authorized by the domain’s SPF record. If there is a match, the email is considered legitimate; otherwise, it is flagged as suspicious or potentially fraudulent.

SPF records are published as DNS (Domain Name System) records, and they contain a list of authorized IP addresses and mail servers that can send emails on behalf of the domain. These records follow a particular format, with mechanisms (such as ip4, ip6, a, and mx) used to define which servers are allowed.

SPF Macros: A More Flexible Approach

SPF macros provide enhanced flexibility in SPF records. SPF macros allow domain owners to define more dynamic, context-sensitive SPF policies by using placeholders or variables that are expanded when the SPF record is evaluated. SPF macros can be used to customize the authorization rules based on specific conditions such as the sender's IP address or the domain from which the email is sent.

SPF macros are most commonly used in conjunction with the exp mechanism, which specifies an explanation to be included in SPF failure reports. These macros can extract and display values like the sender’s IP address, the recipient domain, or even the type of SPF failure that occurred. This makes SPF not only a method for verifying email authenticity but also a way to generate detailed failure reports for further investigation and analysis.

Solutions in the Market for SPF Management

Several solutions in the market offer SPF management and enhance its capabilities by providing services like automated SPF record generation, monitoring, and customization using macros. Let’s explore some of the prominent providers:

1. Valimail
   Valimail is a leader in email authentication and provides a solution that simplifies the management of SPF, DKIM, and DMARC records. With Valimail’s platform, businesses can automate the process of creating and maintaining SPF records, ensuring that only authorized mail servers can send emails on their behalf.
   Valimail’s solution includes automated SPF record updates and the ability to manage SPF macros effectively, making it easier to implement dynamic policies. It also provides real-time visibility into email security metrics, which is crucial for detecting and mitigating spoofing and phishing attempts.

2. Proofpoint Hosted SPF
   Proofpoint offers a hosted SPF solution as part of its broader email security suite. This solution allows customers to configure and manage SPF records easily without the need for manual updates. Proofpoint Hosted SPF enables SPF macro usage, helping users create more tailored policies based on dynamic variables such as email sending IP addresses.
   With Proofpoint, businesses can protect their email infrastructure, reduce the risk of spoofing, and improve deliverability by ensuring their SPF records are correctly configured and maintained.

3. Expurgate GitHub Project using rbldnsd
   The Expurgate project on GitHub provides an open-source solution for managing SPF records and implementing advanced email security policies. Expurgate uses rbldnsd, an efficient DNS server, to handle the dynamic querying of SPF macros and provide real-time response for email checks.
   By utilizing rbldnsd, Expurgate can offer a high-performance solution for managing SPF records, particularly in environments where scalability and reliability are paramount. Expurgate also allows users to implement customized SPF checks, making it a powerful tool for those looking to incorporate SPF macros into their email security practices.

Conclusion

SPF plays a pivotal role in improving email security and ensuring proper email deliverability. The introduction of SPF macros adds a layer of flexibility, allowing domain owners to create dynamic and highly tailored policies that adapt to different email-sending scenarios. By leveraging solutions like Valimail, Proofpoint Hosted SPF, and the Expurgate GitHub project with rbldnsd, businesses can automate, scale, and enhance their email security posture while maintaining compliance with the latest authentication standards.

The combination of SPF, SPF macros, and advanced solutions available today makes it easier than ever for organizations to ensure their emails are authentic, their domains are protected, and their communication with customers and partners remains secure.