Setup G Suite DKIM to prevent DMARC Failure in Gmail when using send-as email addresses with Secondary Domains/Domain Aliases
Regarding DKIM’s impact on DMARC pass/fail when using G Suite secondary domains/domain aliases in Gmail send-as email address aliases.
Assuming present and correct SPF and DMARC config. DMARC tests will fail sending from Gmail. When –
- DKIM is not enabled in G Suite: Apps -> G Suite -> Settings for Gmail -> Authenticate Email (DKIM) for the secondary domains/domain aliases
- Google will automatically sign outgoing email messages if DKIM not setup, and that is the issue! The email header DKIM value (d=”domain name”) is not aligned (i.e. the same!) as the email Header “From” value.
Don’t rely on online DMARC validators! Check sent email headers:
Open the email headers of sent emails. Look for
- The Envelope From (i.e., Return Path or Mail-From)
- The “Friendly” From (i.e., “Header” From)
- The d=domain in the DKIM-Signature’
Regarding DMARC and DKIM alignment: Check in the email header d=”domain name” is identical to the Header From “domain name”. DMARC also checks SPF alignment, but I’m focussed on DKIM d=”domain name”and G Suite secondary domain/domain aliases for now.
How to enable DKIM for all secondary domains/domain aliases in G Suite
In Google Admin Dashboard – make sure you head to Apps -> G Suite -> Settings for Gmail -> Authenticate Email (DKIM) and –
- Generate 2048 bit DKIM record values for every domain you’ve setup in your Gmail account to send-as from
- Create the DKIM DNS record with that domainkey and TXT record value in the relevant secondary domains/domain aliases DNS zone
- Click “Start Authentication” after the new DKIM DNS record has had a chance to be refreshed and propogated
- If you see green text “Authenticating email” with a green tick. DKIM is enabled.
A sobering thought this – your Office 365 mailbox may be harbouring emails containing spear phishing and targeted attacks.
The free web-based Threat Scanner for Office 365 from Barracuda uses their Sentinel Artificial Intelligence engine to scan for threats already in your Office 365 account. It identifies advanced threats and includes information such as the sender of the risk, and details about the risk including what the risk is targeting.
As Barracuda describes here https://campus.barracuda.com/product/sentinel/doc/78807326/barracuda-email-threat-scanner-for-office-365/ – the free Barracuda Threat Scanner for Office 365 scans for
- Spear phishing attacks
- CEO fraud and employee impersonation
- Popular web service impersonation (Outlook, DocuSign, Dropbox, Apple)
- Account takeover attempts
Scan results are generated and a report sent to your registered email address within 24 hours.
Email was simpler back then. Pre-cloud era, all you had was a best in class firewall, a strong antivirus/antispam solution, and excellent security software covering every endpoint.
But these email security solutions are no longer enough. Email is by far the most important communications application, correspondingly the number-one method carrying security breaches into organisations.
Adoption of best practice email security resilience measures is a big problem. An alarmingly high percentage of organisations are not on board with the basics – SPF, DKIM, DMARC reporting, and the advanced threat protection security solutions available today.
If adopted – multi-layer intelligent AI driven email security solutions are catching up in effectiveness.
So now hackers are starting to side-step improving security technology. How? By targeting humans. Social engineering is a dark capability, with no technology necessary – just soft skills!
Social engineering tricks staff into taking actions compromising organisational security. Exploitation of human vulnerabilities and foibles have turned into the number-one most effective strategy for attackers.
For example, email fraud targets key staff with direct access to corporate financial data and decision-making power. Their email addresses are impersonated or literally hacked and taken over, then used to send instructions to colleagues internally that carry the weight of the impersonated sender’s organisational authority.
A Holistic Organisation-Wide Cyber Security Strategy
Technology-based defenses with threat intelligence to combat email attacks are critical and non-negotiable, but today threat protection technologies are just one pillar of an overarching security strategy.
If hackers use a combination of technical and non-technical (i.e. human-to-human!) strategies to breach security, then everyone’s a stakeholder in Every staff member has a role to play in cyber resilience to email fraud. All end-users need enrollment in a security awareness program. Some end-users are are more phish-prone than others, but move forward on the principle all staff are targets, so all staff will benefit from increased security awareness.
A holistic email security solution should prevent email based attacks before they occur, then must consider email continuity and email recoverability. What is the plan to keep business email communications operating if email is down? Sending and receiving email during a business-wide email system outage must be a scenario planned for.
If emails are lost then the capability to restore email to the required granularity is required – from individual emails, mailboxes, to email system-wide restoration.
Technology is only one part of an Email Security Strategy
Email security’s weakest link is people. Respond to this reality by raising staff awareness of their role in a comprehensive email security strategy. Train for a healthy wariness when it comes to evaluating emails containing –
- Email links and attachments
- Domain spoofing and impersonation
- User impersonation
- Links to fake online applications
Keeping email security top of mind is now non-negotiable for all employees. Attackers leverage humans to side-step security technology. So create a security culture at work that sets the tone for how email is used.
For an overview on Microsoft Azure Files and Azure File Sync a great resource to understand and learn more can be found at this link:
Azure Files with Azure File Sync is a game-changer. Microsoft’s answer provides an authoritative answer and direction for using the cloud as a business file server dilemma – which is:
How do you centralize your company’s file shares in the cloud, but at the same time keep the performance of an on-premises file server?
While not first to answer this question, Microsoft’s authority and credibility legitimizes the cloud-as-a-fileserver strategy with Azure Files and Azure File Sync.
So what is a hacker to do if corporate security defenses are becoming more effective? Companies are adopting more sophisticated multi-layered security technologies and processes.
Business are ramping up their investment in their security to protect themselves. Two-factor authentication, quicker operating system patching, firewalls, endpoint protection everywhere, email and web secure protection – the sophistication of advanced security measures are increasing in their effectiveness.
increasingly cybercriminals are going after the softest target – me and you. The human attack surface, with its wildly variable and fallible behaviour.
To illustrate how the human factor is the cyber attacker’s holy grail, here are some fun (not) findings from proofpoint’s Human Factor 2018 Report.
- Social engineering is the hacker’s key to phishing success. Not technology. A critical point, as social engineering is person-to-person. It neatly sidesteps all those expensive advanced security technologies and engages directly with us folks. Humans who are gullible, easily deceived, under-trained, probably tired, busy, certainly curious, want to help, and have fingers that left-click quicker than their brain engages.
- A fun proofpoint recommendation: Use phishing simulations to see who in your business falls for it. Find out who clicks then make an example of them (ok proofpoint didn’t say that last part).
- Business Email Compromise (BEC) almost totally relies on analogue person-to person strategies. None of the usual signs such as malicious links and attachments. The email message doesn’t get caught by standard security filtering, and instead uses convincing language to trick the recipient to take the desired insecure action (the requisite “bean spillage” i.e. pay a invoice, transfer money). Though, phone and other communications are commonly used during attacker’s research phase to uncover the key players in an organisation. It’s social engineering to find names and roles – most often C-level and finance department. Any action that persuades the victim the disclosure of sensitive information and sending of money is legitimate and authorized.
Human nature is always the biggest vulnerability. Check out the Human Factor 2018 Report from proofpoint here.
Gmail’s anti-phishing capabilities have been around since April 2018 in Australia. I’m just not seeing the uptake these new email safety features deserve.
I’m going to stay on point in this blog with Cloud Admin’s current focus on email authentication – email spoofing (SPF, DKIM, DMARC). So my focus is on the Gmail Safety’s section – “Spoofing and Authentication”.
The other 2 sections in G Suite Admin under Apps > G Suite > Gmail > Safety are “Attachments” and “Links and external images” are just as important! These email security settings need equal attention. I’m doing a disservice to the criticality of new settings addressing how attachments are as the attack vector of choice – so be sure to configure these new settings as well.
Back to “Spoofing and Authentication” for this post.
Scroll down and click on “Safety”, under G Suite Admin Console’s Gmail settings.
“Spoofing and Authentication” Gmail Settings Safety Section
- Choose customize settings in the Spoofing and Authentication section.
- For each safety setting (listed below) in this section – recommend choosing option “Keep email in inbox and show warning” from the drop-down option list. Make sure this option is manually chosen, as it’s default for some options and not default for others.
- Once you’ve lived with the emails “delivered to your inbox with warning for a while, AND you know your SPF, DKIM, and DMARC configuration is working for your domain, revisit the settings and re-configure preferred options for each setting. For example the setting “protect against inbound emails spoofing your domain” is a straight- forward choice – change the option to send those emails straight to spam.
The safety options are (to choose option “Keep email in inbox and show warning”):
- Protect against domain spoofing based on similar domain names
- Protect against spoofing of employee names
- Protect against inbound emails spoofing your domain
- Protect against any unauthenticated emails – not authenticated (SPF or DKIM)
Why choose “Keep email in inbox and show warning”?
Any emails picked up by the new safety settings still arrive in your inbox like before, but now they come with a warning!
You get to learn what Gmail’s safety measures are doing with the enabled safety settings – specifically regarding phishing attacks due to spoofing and unauthenticated emails.
Email security is an evolving space, and not all email providers support best practice email authentication measures, so you’ll need to choose the option to still deliver the email to your inbox, accompanied now with a warning.
As I said, live with the option to “keep email in inbox and show warning” for a while, then reconfigure your Gmail Safety Settings to your preferences.
You can read more here: https://support.google.com/a/answer/7577854
Learn how to prevent outgoing spam in Google G Suite with DMARC. Google is a key DMARC standard participant, thankfully, as a significant percentage of all email traffic passes through Google’s email infrastructure.
Given Google’s DMARC support, implementation of the DMARC email authentication protocol is a no-brainer and will help you regain control over spammers spoofing your email, who do this by impersonating your “From:” email address.
Learn more about DMARC for Google G Suite by clicking this link: https://support.google.com/a/answer/2466580#
Then to learn how to add DMARC to your business email domain, go here: https://support.google.com/a/answer/2466563?
Office 365 has a compelling suite of security features. In fact you can justify the migrating your business email to Office 365 (Exchange Online) even from a security perspective, to ramp up your security best practices.
Email protection and authentication in Office 365 requires manual work. Deterring email spoofing (impersonating your email “from” address) includes as a solid start – the SPF, DKIM, and DMARC email authentication standards.
- To setup SPF in Office 365 to prevent spoofing: https://docs.microsoft.com/en-us/office365/securitycompliance/set-up-spf-in-office-365-to-help-prevent-spoofing
- To setup DKIM in Office 365 to validate your outgoing email from your business domain: https://docs.microsoft.com/en-us/office365/securitycompliance/use-dmarc-to-validate-email
- DMARC depends on SPF and DKIM to work. Once SPF and DKIM are configured, tested, and working – don’t forget DMARC.
When it comes to email spoofing. You can’t fix what you don’t know is happening.
Plainly put – spoofing is the very uncool act of sending email using someone else’s email address (as the “from” address). This so that the receiver of the message thinks that the message is legit, to “sell” the receiver the lie it’s coming from someone other than them. People are naturally more likely to read email if they think the sender is above-board.
Enter DMARC – a work in progress email authentication and reporting standard.
DMARC is a way to make it easier for email senders and receivers to determine whether or not a given message is legitimately from the sender, and what to do if it isn’t. This makes it easier to identify spam and phishing messages, and keep them out of inboxes.
Never mind the work in progress, DMARC is used by all the big players. Given Gmail, Office 365, and other email providers dominate email traffic, informed consensus says DMARC really is non-negotiable today.
How else can you get reporting on all messages that claim to come from your domain? Only from email providers/email systems who’ve implemented the DMARC standard. You’ll get reports on how many illegitimate messages are using your domain, and where the emails are coming from.
Find out if your email address is backed by best practice email security and authentication measures: https://dmarcian.com/dmarc-inspector/
Learn more about DMARC at https://dmarc.org