@@MDaemonTechnologies I also subscribed to you and activated alert and now I'm browsing your videos instead of working. HAHA. Another proof that good content works better than ?%//$ clickbait 😅
You should do a more in-depth video and cover things like what header SPF uses to validate the sending server (Mail-From), what headers are generally used to calculate the DKIM signature, why and how forwarders frequently break DKIM by changing headers, and what "alignment" actually means in regard to DMARC (the domains used to pass DKIM and SPF must match the domain in the "From" header).
Excellent Explanation !! Thanks for the video. Just one query I had the receiving mail server quarantines or rejects mostly based on the DMARC settings published by the sender. So believe just like SPF and DKIM, DMARC is also queried to take that decision and we can always alter that decision at the DMARC policy-setting on our end too.
Yes, while domain owners can set their preferred quarantine/reject policies in their own DMARC records, SecurityGateway administrators can override those preferences to handle those messages based on their own needs. Brad Wyro MDaemon Technologies
Also a question - SPF alone has matching policies (hard, soft etc), same goes for DKIM. What is their role and effect when there is DMARC in place? If, say SPF dictates to allow all, while DKIM or DMARK policy says otherwise and is in direct conflict, which one action takes precedence?
Hello Max. I did some research on this and found that the recommend practices while deploying DMARC is to set your SPF policy to SOFTFAIL (~all) while your DMARC policy (p= tag) is set to p=none. Then, after you've had enough time to review your DMARC forensic & aggregate reports, set your SPF record to HARDFAIL (-all) and then, at that time, set your DMARC policy to p=quarantine or p=reject. - Brad
Thanks for the clear tutorial, what about configuring the protection of SMTP itself? my application tries to send an email to SMTP and it gets always blocked by the ISP for spam related protection.
Are you using a business email account? What application are you using? Are you referring to your email client? If you are sending mail through your ISP from an on-premise mail server, or via a hosted email service, many ISPs block transmission on the standard SMTP port - port 25. Do you know what port you're using for SMTP? Brad
DKIM, SPF & DMARC are all implemented via DNS records, so they are not product-specific. If mail from your domain is sent from both Office 365 and Proofpoint, then both would need to be included in your domain's SPF record, and both would need to be able to sign outbound messages with DKIM. Your DMARC record would simply tell receiving servers how to handle messages that don't properly align with DKIM & SPF. Brad
Interesting what they did (feels a bit like a hack) to 'fix' holes in the original SMTP protocol to deal with spam. I suspect that this does slow down mail processing a bit... No longer a 'Simple Mail Transfer Protocol' ....
Hello Yusuf. You will need to first implement DKIM and SPF. You will need to publish a DKIM (public) key to DNS, and sign outbound mail with the private DKIM key on your mail server or gateway. For SPF, you will need to set up an SPF record in DNS that designates servers that are authorized to send mail on behalf of your domain. Once DKIM & SPF have been implemented, you can then create a DMARC record and then deploy DMARC. Here's a webinar I conduced that provides an overview of how to deploy DMARC. It's a few years old, but the same concepts still apply. ua-cam.com/video/vrMMKmxCmqs/v-deo.html Brad Wyro MDaemon Technologies
DMARC was designed to use both DKIM and SPF. If you've only implemented one or the other, then you could still use DMARC's reporting feature to receive aggregate & forensic reports indicating how your domain is being used. This article explains using DMARC with only SPF (and thus, it's the opposite scenario from what you're asking), but you may find some of its content helpful. dmarc.org/2017/03/can-i-use-dmarc-if-i-have-only-deployed-spf/
SecurityGateway is software that runs on Windows. You can download it here: www.altn.com/Downloads/SecurityGateway-Free-Trial/ We also have hosted options, which you can learn about here: www.securitygatewayforemail.com/ If you need further assistance, I'll be happy to help. Brad
This video is like teaching someone what water is made of and various variables of water and how it works when all I'm trying to do is learn how to swim. Do I really need to know all this extra stuff to just send an email? The answer is no, however just telling us how to utilize SPF, DKIM, and Dmarc would of been helpful.
in this time of video (8:22) i notice that you had a txt record for DKIM which is not correct because you name it as "dkim" , i think it's not working in practical scenarios because it should be named like "selector.domainkey" otherwise recipient servers could not query this correctly (Based on my Test) , idk maybe you named it just for learning aspects. anyway thank for your great video
Hello Zanzhar. The message is not signed with anything that's publicly available in DNS. DKIM uses a "selector" to sign messages with the corresponding private key. The public key is there to provide the receiving servers performing DKIM verification (that have the emails containing the private key) something they can download and check against the private key, but those keys are not exact duplicates of each other, so a potential hacker can't simply take the public key from a signed message & use it to sign outbound messages. - Brad
DKIM SPF & DMARC will be a major issue for businesses & individuals in 2024. so many businesses are sending emails and emails are ending up in spam. going to be a lot disruptions for businesses and plenty of work for people in I.T. written in Jan 2024....
You could and should use both DKIM and SPF. Any server capable of forwarding mail on your behalf would need to be present in your SPF record either by name or IP.
Hello Aniket. I've created a tutorial video that explains the SPF record creation process. You can watch it here: ua-cam.com/video/9rn1tXJ6HUk/v-deo.html Brad
This is the best DMARC video in UA-cam.
This is an absolutely FANTASTIC video. You explain it so clearly and pitch at a good level. Thanks for putting it out there. It helped me a lot.
Thank you! We're glad you found this video useful.
I have watched many videos, no one explained it as you did!! amazing many thanks
Fantastic explanation. After long time , I am able understand DMARC. thank you.
Thank you for the feedback!
God bless you. You have made my day by making this lesson so simple to understand through your video. I would give a million like if it were possible.
Simply amazing- Great job with breaking down how all of these protocols work together. Great Job
Just understanding the basics and this was a perfect place to start
OMG! Lots of years that I've been trying to understand all of this. Now, I do !!!! Thank you for this very good video !
Glad you found it helpful!
@@MDaemonTechnologies I also subscribed to you and activated alert and now I'm browsing your videos instead of working. HAHA. Another proof that good content works better than ?%//$ clickbait 😅
Before this video I went through many others but no clarity...very nicely explained. Thanks a lot. Keep sharing more.
This was simply THE best overview-Tutorial on this topic. Thank you so much - just subscribed to your channel.
This video I must say that is great. I've learnead a lot from it, and it is so far the simplest. As a future computer engineer, thank you very much!
Clear and simple explanation. Excellent work.
Glad it was helpful!
Awesome, could not be explained any better than this. thank you for putting this very useful video together and sharing it with us. God bless you
Glad you found it useful, Ersin!
Brad
You should do a more in-depth video and cover things like what header SPF uses to validate the sending server (Mail-From), what headers are generally used to calculate the DKIM signature, why and how forwarders frequently break DKIM by changing headers, and what "alignment" actually means in regard to DMARC (the domains used to pass DKIM and SPF must match the domain in the "From" header).
You got me curious! Can you make a video?
@@_m.a-x I've thought about it. I want to figure out how to manually calculate and verify a DKIM signature first.
Excellent Explanation !! Thanks for the video. Just one query I had the receiving mail server quarantines or rejects mostly based on the DMARC settings published by the sender. So believe just like SPF and DKIM, DMARC is also queried to take that decision and we can always alter that decision at the DMARC policy-setting on our end too.
Yes, while domain owners can set their preferred quarantine/reject policies in their own DMARC records, SecurityGateway administrators can override those preferences to handle those messages based on their own needs.
Brad Wyro
MDaemon Technologies
This was an amazing tutorial! Thank you for showing real life scenario.
Thanks for commenting. Glad you found this tutorial useful!
Brad - MDaemon Technologies
I agree ☝️
We are looking to implement DMARC also and so this was a great explanation, nicely presented.
Cheers :)
Thanks Stefan. Glad you found it useful!
Brad
Thanks for sharing useful tutorial.
Very well explained. Excellent job.
Well explained, great flow. Thankyou very much
is that security gate way freetool
Clear and concise. Beautiful.
Thank you!
where could I have learned thist stuff, and how to have set it up from the beggining?
very useful with easy explanation , thank you
Thank you. I'm glad you found this video helpful!
Brad - MDaemon Technologies
Also a question - SPF alone has matching policies (hard, soft etc), same goes for DKIM. What is their role and effect when there is DMARC in place? If, say SPF dictates to allow all, while DKIM or DMARK policy says otherwise and is in direct conflict, which one action takes precedence?
Hello Max. I did some research on this and found that the recommend practices while deploying DMARC is to set your SPF policy to SOFTFAIL (~all) while your DMARC policy (p= tag) is set to p=none. Then, after you've had enough time to review your DMARC forensic & aggregate reports, set your SPF record to HARDFAIL (-all) and then, at that time, set your DMARC policy to p=quarantine or p=reject.
- Brad
Wonderfully explained!
Thanks for the clear tutorial, what about configuring the protection of SMTP itself? my application tries to send an email to SMTP and it gets always blocked by the ISP for spam related protection.
Are you using a business email account? What application are you using? Are you referring to your email client? If you are sending mail through your ISP from an on-premise mail server, or via a hosted email service, many ISPs block transmission on the standard SMTP port - port 25. Do you know what port you're using for SMTP?
Brad
Thanks for your tutorial, this was really helpful.
Glad you found it helpful!
Can you have spf and dkim configured in Office 365 and configure dmarc separately in Proofpoint? Or do all 3 have to be configured in one place?
DKIM, SPF & DMARC are all implemented via DNS records, so they are not product-specific. If mail from your domain is sent from both Office 365 and Proofpoint, then both would need to be included in your domain's SPF record, and both would need to be able to sign outbound messages with DKIM. Your DMARC record would simply tell receiving servers how to handle messages that don't properly align with DKIM & SPF.
Brad
Superb explanation
Interesting what they did (feels a bit like a hack) to 'fix' holes in the original SMTP protocol to deal with spam. I suspect that this does slow down mail processing a bit... No longer a 'Simple Mail Transfer Protocol' ....
very good sir
Please what are the general requirements to implement this in our organization?
Hello Yusuf. You will need to first implement DKIM and SPF. You will need to publish a DKIM (public) key to DNS, and sign outbound mail with the private DKIM key on your mail server or gateway. For SPF, you will need to set up an SPF record in DNS that designates servers that are authorized to send mail on behalf of your domain. Once DKIM & SPF have been implemented, you can then create a DMARC record and then deploy DMARC. Here's a webinar I conduced that provides an overview of how to deploy DMARC. It's a few years old, but the same concepts still apply.
ua-cam.com/video/vrMMKmxCmqs/v-deo.html
Brad Wyro
MDaemon Technologies
MDaemon Technologies thank you
Excellent video - thank you
Very well explained, good job!
Is there anyway to force DKIM and not SPF? In other words can DMARC be forced to use DKIM and ignore SPF? thanks
DMARC was designed to use both DKIM and SPF. If you've only implemented one or the other, then you could still use DMARC's reporting feature to receive aggregate & forensic reports indicating how your domain is being used. This article explains using DMARC with only SPF (and thus, it's the opposite scenario from what you're asking), but you may find some of its content helpful. dmarc.org/2017/03/can-i-use-dmarc-if-i-have-only-deployed-spf/
@@MDaemonTechnologies thank you
Thank you for the video, May I know the Security Gateway appliance is Hardware or software, give me the details about it. Thank you in advance.
SecurityGateway is software that runs on Windows. You can download it here: www.altn.com/Downloads/SecurityGateway-Free-Trial/
We also have hosted options, which you can learn about here: www.securitygatewayforemail.com/
If you need further assistance, I'll be happy to help.
Brad
@@MDaemonTechnologies Thank you very much for quick response.
This video is like teaching someone what water is made of and various variables of water and how it works when all I'm trying to do is learn how to swim. Do I really need to know all this extra stuff to just send an email? The answer is no, however just telling us how to utilize SPF, DKIM, and Dmarc would of been helpful.
Why dns record is created with name dkim. Shouldn't it be your selector name?
Yes, you are correct. It should be the name of your selector. I was just using DKIM as an example.
this is excellent guys. thank you
really nice video
Well explained, thank you, now understand this much better.
in this time of video (8:22) i notice that you had a txt record for DKIM which is not correct because you name it as "dkim" , i think it's not working in practical scenarios because it should be named like "selector.domainkey" otherwise recipient servers could not query this correctly (Based on my Test) , idk maybe you named it just for learning aspects. anyway thank for your great video
What stops the intruder from getting the public key from the DNS and setting it as the signature??
Hello Zanzhar. The message is not signed with anything that's publicly available in DNS. DKIM uses a "selector" to sign messages with the corresponding private key. The public key is there to provide the receiving servers performing DKIM verification (that have the emails containing the private key) something they can download and check against the private key, but those keys are not exact duplicates of each other, so a potential hacker can't simply take the public key from a signed message & use it to sign outbound messages.
- Brad
@@MDaemonTechnologies wow thank you Brad for the answer! Didn't expect that it'll be so fast 😮 much appreciated!
@@sanzhar.danybayev You're welcome. Please let us know if you have any other questions!
- Brad
@@MDaemonTechnologies now thanks to you everything is clear!
Just excellent tutorial.
DKIM SPF & DMARC will be a major issue for businesses & individuals in 2024. so many businesses are sending emails and emails are ending up in spam. going to be a lot disruptions for businesses and plenty of work for people in I.T. written in Jan 2024....
Great video, thanks!
Excellent
thank you very much! it helps me a lot:)
Thanks!
Good job, thank you!
Thank you!
Tks bro
SPF breaks email forwarding. Because the forwarding server is no longer allowed to deliver. Better use DKIM.
You could and should use both DKIM and SPF. Any server capable of forwarding mail on your behalf would need to be present in your SPF record either by name or IP.
Thank you.
Nice
Thanks!
dkim is not very clear
spf record generate , not understand , can u pls help
Hello Aniket. I've created a tutorial video that explains the SPF record creation process. You can watch it here: ua-cam.com/video/9rn1tXJ6HUk/v-deo.html
Brad
i wish people would stop saying, 'tools.'
Good video but i watched in 1.25x speed