An email address has two main parts. The local-part is the bit before the @-sign and the domain is the bit after it. Loosely, the domain part tells SMTP how to get an email to the destination mailserver while the local part tells that server whose mailbox to put it in. I’m just looking at the local part today, the “steve” in “steve@example.com”. Talkin’...
Transport Layer Security (TLS) is what gives you the little padlock in your browser bar. Some people still call it SSL, but TLS has been around for 18 years – it’s time to move on. TLS provides two things. One is encryption of traffic as it goes across the wire, the other is a cryptographic proof that you’re talking to the domain you think you’re talking to. The second...
The FTC (US Federal Trade Commission) is soliciting comments on CAN-SPAM legislation: A. General Issues 1. Is there a continuing need for the Rule? Why or why not? 2. What benefits has the Rule provided to consumers? What evidence supports the asserted benefits? 3. What modifications, if any, should be made to the Rule to increase its benefits to consumers? (a) What evidence supports the proposed...
Not a new thing, but a nice example just popped up in my inbox on my phone. But FedEx solved their entire phishing problem when they published a strict p=reject DMARC record, right? This didn’t come from fedex.com. It came from another domain that looks vaguely like fedex.com – what that domain is doesn’t matter, as the domain it’s sent from isn’t displayed to...
AOL were kind enough to share some details about the shutdown of the Verizon mail system and the migration of @verizon.net email address to the AOL mail service: What is the cut-over date for the verizon.net MX record? The cut-over date for the mx record for verizon.net to to be handled by AOL is June 20, 2017. This will occur after midnight sometime on Tuesday morning June 20 EDT. How...
It’s easy to tell if a domain is using SPF – look up the TXT record for the domain and see if any of them begin with “v=spf1”. If one does, they’re using SPF. If none do, they’re not. (If more than one does? They’re publishing invalid SPF.) AOL are publishing SPF. Geocities aren’t. For DKIM it’s harder, as a DKIM key isn’t published at a...
When you link to an external resource – an image, a javascript file, some css style – from a web page you do so with a URL, usually something like “; or “;. The world is beginning to go all https, all the time, but until recently good practice was to make a web page available via both http and https. The problem is that if you try and load a resource from an http URL from...
On Friday I talked a little about DMARC being a negative assertion rather than an authentication method, and also about how and when it could be deployed without causing problems. Today, how DMARC went wrong and a partial fix for it that is coming down the standards pipeline. What breaks? DMARC (with p=reject) risks causing problems any time mail with the protected domain in the From: field is...
We know that legitimate email sent with valid SPF and a DKIM signature often breaks in transit. SPF will fail any time mail is forwarded – via a mailing list, a forwarding service used by the recipient, or just ad-hoc forwarding. DKIM will fail any time the message is modified in transit. That can be obviously visible changes, such as a mailing list tagging a subject header or adding a...
All the authentication and DMARC in the world can’t save you from stupid. I just got a survey request from my bank. Or, at least, it claimed to be from my bank. From: Barclays International Banking Survey <internationalbanking@barclayssurveys.com> The mail passed SPF (though the SPF record suggests this is being mailed from all over the place) and was validly DKIM signed for...
RSS - Posts