wmunyan
commented
5 years ago Inputs:
- DMARC policy
- TXT record published in DNS
- The Mail Transfer Agent used by the organization (this could indiate DKIM is used to sign outgoing messages)
- The Mail User Agent used by the organization (this could indicate DKIM is used to verify incoming messages)
Assumption(s):
- The DMARC configuration policy includes instructions to produce either Aggregate (rua) or Forensic (ruf) reports.
- The organization has access to these reports either daily (for Aggregate) or in real-time (for Forensic).
Operations:
- Examine the TXT records in DNS for a
vvalue indicating DMARC - Examine the TXT records in DNS for a
vvalue indicating SPF - Examine the TXT records in DNS for a
vvalue indicating DKIM
Measures:
- M1 = 1 if Input 1 exists and Operation 1 indicates the use of DMARC
- M2 = 1 if Operation 2 indicates the use of SPF
- M3 = 1 if Operation 3 indicates the use of DKIM
Metrics:
- M1 AND M2 AND M3
NOTE: Policy enforcement can be checked via Aggregate or Forensic DMARC reports and automation can be applied to these reports in order to alert administrators of DMARC/SPF/DKIM failures along with associated Source IPs and Domains.
https://en.wikipedia.org/wiki/DMARC https://en.wikipedia.org/wiki/Sender_Policy_Framework https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by implementing the Sender Policy Framework (SPF) and the Domain Keys Identified Mail (DKIM) standards.
Measures
Metrics