SPF, DKIM, DMARC was never so simple! // EasyDMARC
ฝัง
- เผยแพร่เมื่อ 20 พ.ค. 2024
- In this video, I will be discussing the importance of outbound email security and how it can protect your company's reputation. I will introduce you to technologies such as SPF, DKIM, DMARC, and BIMI, and explain how they work together to prevent email fraud and spoofing. Additionally, I will be showcasing EasyDMARC, a cloud native service provider that offers advanced managed solutions for mid-sized to large enterprises, as well as free tools for Homelab users.
EasyDMARC-*: rebrand.ly/c2a262
________________
💜 Support me and become a Fan!
→ christianlempa.de/patreon
💬 Join our Community!
→ christianlempa.de/discord
________________
Read my Tech Documentation
christianlempa.de/docs
My Gear and Equipment-*
christianlempa.de/kit
________________
Timestamps:
00:00 Introduction
01:32 What is EasyDMARC?
02:50 You need outbound email security!
04:06 Connect your domain
05:41 SPF
12:52 DKIM
18:14 DMARC
22:45 BIMI
________________
All links with `*` are and/or include affiliate links. - วิทยาศาสตร์และเทคโนโลยี
![[LIVE] : ONE ลุมพินี 63 | คู่เอก "ยอดภูผา vs โซเนอร์"](http://i.ytimg.com/vi/RGVmBsegKEI/mqdefault.jpg)
Best video explaining these topics! You earned a new sub! Thank you.
Thank you so much! :)
Very nice clear guidance on what each is an how they work. Thanks for that.
Glad it was helpful!
Just in time! 🙂
And this is difficult info to find, so well and concisely explained. Thanks
Glad it was helpful!
This helped me understand spf, dkim and dmarc better. thx a lot!
glad it helped :)
18:40 Gmail does exactly that - it rejects emails from domains without an SPF record completely, and actually I think they do the right thing.
It is also worth noting that DMARC checks the authorisation for the domain in the From header, not the SMTP FROM (the envelope From) as SPF does. And that's important because the From header value is usually the only thing the recipient sees. So it helps combat phishing emails sent from the attacker's domain that have the correct SPF but a fake domain in the From header.
@Christian - I was wondering if you have ever setup a Hadoop environment. I've been really tempted with lookign to set one up for dealing with large amounts of data storage and processing.
BIMI costs money if they want the correct BIMI email security "add-on" topping :D. I am using the free version of BIMI, but you also forgot the also most important feature: MTA-STS, CAA, HSTS, and header security. Additionally, most people are reading and sending emails via a web browser, which leaves them vulnerable to man-in-the-middle attacks :)
Yeah, well... you can make a video about all of this, it's gonna be 1h+ :D
@@christianlempa I know, it's a huge topic :3 but the beauty of this is that not everyone is familiar with it. That's why I will always find my customers with it. :3
@@christianlempaNope, you just have to say BIMI brings no real benefit, because only a handful of mail providers are using this; it‘s expensive; and other protocols are far more sophisticated.
Just a few things:
- With an easy SPF, you could add more than 10 includes, but you would exceed the maximum of 255 characters allowed in one TXT record faster. So basically, you would have fewer includes there if you add them directly to your SPF.
- I wouldn't recommend generating private DKIM keys on a third-party provider's page if you are using them on your own systems.
Nevertheless, a great tutorial. I wish not only technically interested private individuals watch this, but also the 90/100 companies that still have their systems configured incorrectly :D I can't count the customers that remove other companies' domains from their spam filter instead of asking the sender to fix their SPF.
Thanks! Great tips btw :)
Thank you Christian!!
Thanks for watching :)
Where do I find the include record for a WIX website?
Very nice video, thank you Christian!
thank you!
Thank you, very useful!
Thanks!
And how can I use this with my Mailcow?
Thanks for the video. But as a homelab user, how could you fit in the free edition, its only supports one domain :)
Don't complain about free stuff bro :D
Thank you.
You're welcome!
I wish I'd known about the 10 include statement thing a couple weeks ago - spent a while trying to figure out why it was happening before I found that info. And it was because one of the services we allow to send on our behalf had added an additional include in THEIR spf record, because apparently that 10 lookup limit counts all the nested Includes.
Might have to look into that EasySPF - expand the extra lookups to IP addresses.
Wow, that's interesting! I haven't heard before either, but thanks to EasyDMARC for teaching me :D
Great video Christian. Very informative. How does easydmarc compare to valimail?
No idea, haven’t used valimail mysefl
At 1:43 where the easyDMARC site mentions 14 days data hιstory what does it mean? Afterwards the old incoming / sent emails will be lost?
In order to use SPF you need to have a static IP? Else your IP will change as well like the attackers. Or the ability to use a txt record bypasses that need?
Why all these records at cloudflare need not to be proxied?
I’m pretty sure the DMARC success/fail messages are only kept for 14 days. The IP address in the SPF record is the address of the smtp server*, so it’s not a problem if you send mail from a dynamic IP address. *technically, it might not be the same IP address
This is not an option for me because I have multiple domains and I don't want to pay dozens of SaaS providers for a single use case. These records are something that needs to be set up perfectly once, and I have no intention of changing anything after that. There are other ways of monitoring the MX.
Dns sec is also worth to have ;)
True!
when are you going to make a self SMTP server video?
Having just migrated from paid gmail to Microsoft 365 Family I would love to understand how people run their email as I'm not really satisfied with the M365 solution and how it supports custom domains. If you run your own email server I'd love to hear how you do that including the UI you use for email etc.
I'm currently using M365 myself because it's easy, and has many features for a fair price. But sure, you could also think about switching to Google Workspace, or run your own self-hosted mail server if you feel comfortable about it.
Nice vid, but there is also mta-sts policy.
thanks, yes that's true ;)
@@christianlempa Would you consider to create vid also for that? It's very easy to add txt record, but many don't know about it at all.
just as I gave up on setting up an email server :/
You can still use it with M365 or Google workspace
@@christianlempa Thank you! I’ll look into that :D, thanks for the great video!
@@christianlempa I use ProtonMail to host my own domain and works pretty well with their services. During the migration of my domain it took me step by step and ProtonMail made sure I've added the proper SPF, DMARC and DKIM records to my Cloudflare DNS to ensure my e-mails are received properly. Worked like a champ.
I am also Office 365 admin at work and had to dig around to find the DKIM settings. Thanks for pointing this out.
it seems the free plan changed from 10000 emails to 1000. this might be eaten up just by notifications in most homelabs so i guess no thank you as we will do it the way we have always done
sadly the free option is now switched to personal only
:(