UTM: DKIM & DMARC what are you guys doing??

I would always front-end a mail server with either a hosted solution or an on premise security appliance.  It offloads that functionality and gives you a place to quarantine, inspect, or isolate traffic.

Hi darrellr,

darrellr said:

I would always front-end a mail server with either a hosted solution or an on premise security appliance.  It offloads that functionality and gives you a place to quarantine, inspect, or isolate traffic.

 

Thanks for replying.

Yes but as you cannot use the UTM for DMARC, what do you use for on-premise spam solution?

Err why can't you use it for DMARC?

We have SPF, DKIM & DMARC set up for our domains. The records are setup in DNS rather than the UTM with the exception of DKIM where you need to provide the private key.

With regards to setups, we use:

Exchange transport servers are the only servers to be able to send and receive mail via the UTM
DNS Servers are the only server to use the dns proxy. Clients use the internal DNS servers.
Exchange web and outlook is reverse proxied via the UTM

I do not use anything on-premise.  But when I said on-premise I meant an email security appliance rather than a UTM appliance, sorry that was unclear.  A separate kit.  I am not judging which is best, but it includes Cisco, Barracuda, Fortinet, etc..  There are lots out there.  As stated, I use a hosted solution.  Those might include Microsoft Exchange online with ATP, Google, Proofpoint, etc..

Louis-M said:

Err why can't you use it for DMARC?

We have SPF, DKIM & DMARC set up for our domains. The records are setup in DNS rather than the UTM with the exception of DKIM where you need to provide the private key.

 

But user doesn't get the reporting feature of DMARC, that is a very wanted feature, how did you solve that?

https://ideas.sophos.com/forums/17359-sg-utm/suggestions/2554345-enable-dmarc

Can your UTM handle the rua= switch for telling about misuse of emails??

https://en.wikipedia.org/wiki/DMARC

The RUA is put in at DNS level. We get aggregate and abuse reports sent to our group admin email address. There is no setting up of DMARC on the UTM.

The RUA is put in at DNS level. We get aggregate and abuse reports sent to our group admin email address. There is no setting up of DMARC on the UTM.

Louis-M said:

The RUA is put in at DNS level. We get aggregate and abuse reports sent to our group admin email address. There is no setting up of DMARC on the UTM.

 

Yes I know, but I cannot see the UTM is handling DMARC lookups at all, it cannot tell you in mail manager, that DMARC is the reason for reject. I know other filters on the web can make use of the DMARC record you have, but what about the UTM you have on-premise??

This post has become hard to understand.   Nonetheless, I will attempt to comment, hopefully you will be able to use it to clarify your question.

If your email service is externally hosted, I don't see that UTM has any role for email security, either inbound, outbound, or monitoring.   This is because email does not flow through UTM for these configurations.   (I exclude the POP3 proxy from consideration for this topic.)   

Assuming that you email is hosted behind the UTM, these considerations apply:

1) Applying DKIM signatures to make outbound mail more likely to be trusted by the recipient.

DKIM signatures can be applied to outbound mail by any device in the outbound sequence.   UTM is one option, although it lacks the user interface features to help you generate the key pair.   I recommend doing the signature on your mail server if possible.   I am aware of a third-party option to add DKIM capability to Microsoft Exchange, and it is relatively inexpensive.   For a DKIM signature to be useful, the public key must be published in your Internet DNS.

DKIM can sign by individual, by email sender domain, or by mail server domain.   I have not seen individual signature usage, because it requires maintaining a DNS entry for each individual in your organizatoin.  If your mail server domain and your email sender domain and your user-visible "FROM" domain all match, the signature is of more value than if they are different.  Multiple signatures are allowed, so you could potentially sign for each of the three entities.

2) Publishing SPF information

This is done exclusively in DNS.  In big organizations, SPF is often incorrect because the IT department is unaware of third-parties that are contracted to send mail using the organization's identity.   If you are going to use SPF, ensure that you know how it needs to be set to validate all of the legitimate mail sent using your email domain.

Additionally, many SPF settings end with ?all, which makes the entire SPF entry meaningless.

3) Publlishing DMARC policy

This is also done in DNS.  The recommended setting is to indicate "all mail will comply with SPF or will have a DKIM signature".   The DKIM signature helps to ensure that forwarded mail will be trusted. 

4) Interpreting DMARC, DKIM, and SPF information on incoming mail.

UTM optionally checks SPF, but its policy is so strict that I have not found it useful.   If enabled, any SPF violation is blocked, which will include all forwarded mail and lots of mail from organizations that do not have their SPF policy configured correctly.  As far as I know, DMARC policies are not used at all.   I assume that the DKIM signature is a factor in the SPAM detection algorithm, but there is no way to know this for certain.

5) Processing DMARC reports sent from other mail systems about your mail identity.

I have not found software to do this, but have not looked very hard.   UTM is not a tool for this purpose, and probably should not be.   The right tool will be a database application running on a server with lots of storage space and processing power.

Hope this helps.

Hi DouglasFoster,

Thanks for your thorough post! - great writing!

I can cleary see that the post has become somewhat confusing, so great you volunteered and sorted things out.

Firstly I am perfectly aware how DMARC works, the article was about the UTM not being able to handle DMARC and what others have done to get around that.

Just to roll through your bullet points:

1)

Yes the UTM cannot do this solely, but with a little help, this can be done easily, this is one of many:

https://martinsblog.dk/sophos-utm-setting-up-dkim-for-mail-security/

2)

SPF options are fail, SoftFail or Neutral(But cannot be changed from gui to do which with what), but I am not seeing the same things as you do, I use SPF with success everywhere, I have never seen domains being blocked, except that their SPF was wrong setup. Missing SPF for a domain, will never lead to a denied i SMTP agent.

3)

Totally agree :-)

4)   

See this is exactly what I was searching for with this post (question), I think more and more, that people are moving to a hosted spam solution or maybe a third party anti spam solution, not being the UTM. I wrote this as I also test the XG firewall, and for some weird reason, DMARC was removed recently!!

https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/sfos-v170-beta/f/sfos-v170-beta-feature-requests/97119/email-enhancements-spf-dkim-dmarc

https://community.sophos.com/products/xg-firewall/f/email-protection/94041/sophos-xg-dkim-and-dmarc-no-longer-supported/340573

For me it looks like DMARC is not going to be supported  for some time, but problem is that company policies and audits requires them! - So I guess I need to tell thoose customers to stop using UTM for antispam and get another solution for that, I cannot even tell them to switch to XG, it's a little sad I think.

5)

I have with success tested the following (Both have free accounts, easily measuring my private email budget :-) )

https://ondmarc.com/

https://www.dmarcanalyzer.com/

(And no I do not work for any og them :-) )

Again, thanks a lot for participating!

I am surprised that an auditor is requiting these features.

You can use more than one spam filter.  The data analysis limitations of UTM Spam filter would trouble me if it was the only one that I was using.   I use it behind a pre-existing spam filter, and UTM catches stuff that the other device misses.  So if they buy one for DMarc, they can still use UTM as well.

There are different degrees of auditors :-D

Two antispam solutions is also a working solution, but primarily I am the fan of just one :-)