Enable SPF, DKIM and DMARC mail security features for O(1) Labs Domains

[O1ahmad]

Overview:

In order to protect the integrity of O(1) Labs' mail correspondence and delivery pipeline from spammers who might attempt to spoof or send emails that only appear to come from O(1)'s trusted domain, it makes sense to ensure our mail and DNS host providers are properly configured for and make use of the following key anti-spoofing techniques available:

• Sender Policy Framework (SPF) : lists the mail servers that can send email from your domain.

• DomainKeys Identified Mail (DKIM): adds an encrypted signature to the header of all outgoing messages. Email servers that get signed messages use DKIM to decrypt the message header, and verify the message was not changed after it was sent.

• Domain-based Message Authentication, Reporting, and Conformance (DMARC) : ensures Incoming messages must be authenticated by SPF, DKIM, or both in addition to the authenticated domain aligning with the domain in the message From: header address.

Goals:

Ensure o1labs.org and codaprotocol.com DNS bindings are configured with the following:

• [x] SPF TXT records
• [x] DKIM TXT records
• [ ] DMARC TXT records

[O1ahmad]

Mail Provider:

• G-Suite

DNS host providers:

• o1labs.org: Namecheap | guide
• codaprotocol.com: Netlify

[emberian]

@0x0I do you already have a DMARC policy in mind? who will be receiving the reports?

[yourbuddyconner]

@emberian I would imagine we'd set up a security@o1labs.org address and receive them there if the generic contact@ email is insufficient.

This will also likely have an ancillary benefit of helping us diagnose issues with marketing emails and all that jazz.

[O1ahmad]

Hey @emberian: I do for the most part though figured a discussion makes sense (in some channel) to source ideas and synchronize on a plan going forward. This is meant to be that launchpad, in a sense, but figured I'd resolve the pubkey generation/admin privileges step to start.

I meant to link to support documentation which provides a recommended plan (e.g. including gradual deploys, limiting initial policy set, etc).

But yea, as far as details regarding recipients of violations, etc, something along the lines of what @yourbuddyconner suggested makes sense (akin to a machine account).

[O1ahmad]

Updates:

• SPF TXT record has been added for o1labs.org (via Namecheap)
• DKIM TXT record added for o1labs.org domain (via Namecheap)
• DKIM TXT record NOT added for codaprotocol.com domain (not believed to receive mail traffic)

[O1ahmad]

Next Steps:

1. @o1brad + Ahmad to follow-up w/ enabling DKIM signing for o1labs.org GSuite mail traffic (via GSuite admin console)
2. validation steps [6-9] (from signing support doc) to be performed by @o1brad + Ahmad following signing with messaging to org re: success of activation
3. work with operations/infra to create a mailto email address to serve as a Reporting URI(s) for aggregate data (rua) -- necessary for DMARC setup.
4. Discuss and sync on DMARC policy with operations/infra - policy notes:
   • (v)DMARC protocol version is required (must == DMARC1)
   • (p)suspicious message policy handler is required (may make sense to start with none/log)
   • (sp) policy handler for subdomains (seems like it should currently match p)
   • (pct)percentage of suspicious messages above (p)olicy applies to (100% seems reasonable...)
   • (rua) violations reporting address (set to product of step #3)
   • remaining defaults appear reasonable

[O1ahmad]

Example DMARC TXT Record for o1labs.org:

Name: dmarc.o1labs.org Value:v=DMARC1; p=none; rua=mailto:security-reports@o1labs.org; pct=100; sp=none

[O1ahmad]

DKIM TXT record for o1labs.orgs:

$ dig google._domainkey.o1labs.org TXT

; <<>> DiG 9.11.18-RedHat-9.11.18-1.fc32 <<>> google._domainkey.o1labs.org TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4265
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google._domainkey.o1labs.org.  IN      TXT

;; ANSWER SECTION:
google._domainkey.o1labs.org. 1799 IN   TXT     "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhjEaLC6UEoDoJEzNc5jCCco6rxzpOlx7M8ru1+KGvSvCT1GL+zCT1rcmSqJvyWlbNcMAG+J+IcTJCH+S05EiZIfdgt2fDFveoLJJYhTNuOhsL+x5sWcKI4VmcLkklGvaZzpCew1nuhJLwMOpzgdZTUeROViXNPiNRJagbsTyXCm+dv4+yGunBTiw4Lu9wmodJ" "1bzFhAeSYKjfN3XyRzYD9NjL1oPOgZPvWPMzoXoVnr5uJON0xyNHVrzT6xGX8yJ4oPYxpdaG2sjlera8rifQydikrMS5piZEN3DUDziRucSKOBscAjvYQ+uz6WiabLYoI062e7tkS0rhtYFncVa1QIDAQAB"

;; Query time: 81 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Tue Jun 02 18:18:19 EDT 2020
;; MSG SIZE  rcvd: 481```

[O1ahmad]

@o1brad @bkase blocked due to upcoming changes?

[o1brad]

DKIM and SPF are enabled. I don't think we need to prioritize enabling DMARC.