Closed O1ahmad closed 5 months ago
@0x0I do you already have a DMARC policy in mind? who will be receiving the reports?
@emberian I would imagine we'd set up a security@o1labs.org address and receive them there if the generic contact@ email is insufficient.
This will also likely have an ancillary benefit of helping us diagnose issues with marketing emails and all that jazz.
Hey @emberian: I do for the most part though figured a discussion makes sense (in some channel) to source ideas and synchronize on a plan going forward. This is meant to be that launchpad, in a sense, but figured I'd resolve the pubkey generation/admin privileges step to start.
I meant to link to support documentation which provides a recommended plan (e.g. including gradual deploys, limiting initial policy set, etc).
But yea, as far as details regarding recipients of violations, etc, something along the lines of what @yourbuddyconner suggested makes sense (akin to a machine account).
Updates:
Next Steps:
Example DMARC TXT Record for o1labs.org:
Name: dmarc.o1labs.org Value:v=DMARC1; p=none; rua=mailto:security-reports@o1labs.org; pct=100; sp=none
DKIM TXT record for o1labs.orgs:
$ dig google._domainkey.o1labs.org TXT
; <<>> DiG 9.11.18-RedHat-9.11.18-1.fc32 <<>> google._domainkey.o1labs.org TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4265
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google._domainkey.o1labs.org. IN TXT
;; ANSWER SECTION:
google._domainkey.o1labs.org. 1799 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhjEaLC6UEoDoJEzNc5jCCco6rxzpOlx7M8ru1+KGvSvCT1GL+zCT1rcmSqJvyWlbNcMAG+J+IcTJCH+S05EiZIfdgt2fDFveoLJJYhTNuOhsL+x5sWcKI4VmcLkklGvaZzpCew1nuhJLwMOpzgdZTUeROViXNPiNRJagbsTyXCm+dv4+yGunBTiw4Lu9wmodJ" "1bzFhAeSYKjfN3XyRzYD9NjL1oPOgZPvWPMzoXoVnr5uJON0xyNHVrzT6xGX8yJ4oPYxpdaG2sjlera8rifQydikrMS5piZEN3DUDziRucSKOBscAjvYQ+uz6WiabLYoI062e7tkS0rhtYFncVa1QIDAQAB"
;; Query time: 81 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Tue Jun 02 18:18:19 EDT 2020
;; MSG SIZE rcvd: 481```
@o1brad @bkase blocked due to upcoming changes?
DKIM and SPF are enabled. I don't think we need to prioritize enabling DMARC.
Overview:
In order to protect the integrity of O(1) Labs' mail correspondence and delivery pipeline from spammers who might attempt to spoof or send emails that only appear to come from O(1)'s trusted domain, it makes sense to ensure our mail and DNS host providers are properly configured for and make use of the following key anti-spoofing techniques available:
Sender Policy Framework (SPF) : lists the mail servers that can send email from your domain.
DomainKeys Identified Mail (DKIM): adds an encrypted signature to the header of all outgoing messages. Email servers that get signed messages use DKIM to decrypt the message header, and verify the message was not changed after it was sent.
Domain-based Message Authentication, Reporting, and Conformance (DMARC) : ensures Incoming messages must be authenticated by SPF, DKIM, or both in addition to the authenticated domain aligning with the domain in the message From: header address.
Goals:
Ensure o1labs.org and codaprotocol.com DNS bindings are configured with the following: