[David Strom's Web Informant] Becoming master of my email domain

David Strom david at strom.com
Sun Nov 26 08:54:14 EST 2017


Web Informant, November 26, 2017: Becoming master of my email domain

The idea of being "master of your domain" I freely admit comes from that
infamous Seinfeld episode. But my usage is a bit different: it is mastering
your email infrastructure. (I know, not quite comparable.) Last week, I
wrote about how my work with Inky's Phish Fence <http://inky.com>was useful
to help spot scam email messages. This week I want to continue my search
for improving the email authentication protocols (SPF, DKIM and DMARC) of
my own domain. The two efforts are complementary.

I won't get into the specifics about these protocols, instead, check out
this post that I wrote about the topic for iBoss
<https://www.iboss.com/resources/blog/implementing-better-email-authentication-systems>
earlier
this year. There I described the three protocols and how they interact with
each other. These protocols have been around for a while, and implementing
them isn’t easy and hasn’t been very popular, outside of perhaps
Google-administered email domains.

A recent survey from Barracuda
<https://blog.barracuda.com/2017/10/12/office-365-active-usage-soars-some-still-unclear-on-security/>
shows
how the majority of folks haven’t yet set up anything in their
environments Another
survey from Agari <https://www.agari.com/dmarc-report-fed/> (who sells
DMARC managed services, so they have something of a self-interest) says 82
percent of federal government domains lack DMARC protection. To try to fix
this, the feds are getting more serious about DMARC, requiring it across
all agency networks
<https://www.scmagazine.com/dhs-will-order-agencies-to-adopt-dmarc-https/article/700557/>
 soon.

So I wanted to be able to lead by example and actually put these tools in
place on my own servers. That was easier said than done.

I first contacted Valimail <http://valimail.com/> in August. They have a
managed email authentication service and agreed to work with me to get me
set up. Valimail knows what they are doing in this space. As an example,
a few weeks ago one researcher posted how he could deliberately break some
DKIM records
<http://noxxi.de/research/breaking-dkim-on-purpose-and-by-chance.html>if he
created some oddball email messages. Turns out Valimail has this covered
and posted a counter reply
<https://blog.valimail.com/breaking-dkim-or-simply-misunderstanding-how-it-works-in-practice>.
They claimed that the researcher didn’t really understand how it was used
in practice.

And that is the issue: these *protocols are very, very hard to implement in
practice*. Getting my domains setup wasn’t easy: part of that was my fault,
and partly because this is a knotty area that has a lot of specific knobs
to turn and places where a misplaced comma can wreck your configuration. So
I am glad that I had them in my corner.

Let’s talk about what was my fault first. *I have two different Internet
providers for my domains*. First is GoDaddy, which registers my domains. I
have always felt it is a good idea to separate my content from my
registrar, which is where my second provider, EMWD.com, comes into play.
They host my blogs and mailing lists. The problem is that the three email
protocols touch on aspects of both what the registrar has to do and what
the content hosting provider has to do, and so I found myself going back
and forth between the two companies and their various web-based control
panels to add DNS entries and make other adjustments as I needed. For your
particular circumstances, that may not be necessary. Or it could be more
complicated, depending on how many individual domains (and sub-domains) you
own and how you have set up your email servers.

When you first sign on with Valimail, they run a report that shows how
messed up your email system is. Now right here I want to stop and explain
what I mean. Your email system is probably working just fine, and your
messages are flowing back and forth without any real issues. Except one:
they aren’t using the full power of the various authentication protocols
that have been developed over the years. If you don’t care about spam and
phishing, then stop right here. But if you do care — and you should — then
that means you need to get email authentication done correctly. That is the
journey that I have been on since this summer.

OK, back to my story. So I got a report from Valimail that showed I made
several mistakes in configuring my mail server. This is because it uses a
different domain (webinformant.tv) from the domain that I use for sending
individual emails (strom.com). Duh! It was embarrassing, after all these
years claiming to be this email “expert” (I did write a book on corporate
email use
<https://www.amazon.com/exec/obidos/ASIN/0139786104/davidstromswebin/> once
upon a time) and yet I still missed this very obvious mistake. But that is
why you hire outside consultants to help you learn about this stuff.

That wasn’t my only problem. Second, I was* using WordPress as my blogging
software*. Now, what does this have to do with email, you might ask? My
problem was I didn’t immediately make the connection either. Some of my
emails weren’t being authenticated properly, and it was only after further
investigation did I realize that the comments that were being collected by
my blog were the culprits. WordPress uses email to notify me of these
comments. Luckily, there is a plug-in for fixing this that was available.
Of course, it still took some effort to get it working properly. Like I
said, a lotta knobs to tweak.

This is why you want someone like Valimail to be working with you, because
the chances of making any errors are huge, and your email infrastructure
can be a bigger project that you realize, even for a small organization
such as my own operation.

I have one other technology piece in my mix. One of the reasons why I chose
EMWD is because they offer cheap but really *good hosting of Mailman*,
which is a Unix-era email server that I have been using for more than a
decade for my weekly Web Informant newsletters. It isn’t as fancy as
Mailchimp or some of the other more modern mailers, but I also am familiar
enough with its oddities that I feel comfortable using it. So any
DKIM/DMARC/SPF installation also had to make some changes to its parameters
too. Luckily, the folks at Valimail knew which ones to tweak.

So it took several months of elapsed time to work with Valimail to get
things correctly setup. And that is probably a good thing because
uncovering all the various applications that make use of email in oddball
ways will take some time, particularly if you are a decent-sized company.
Most of the elapsed time for my situation was because I was busy on other
matters, and also because it took me several tries to understand the scope
of what I had to do. Also, because Valimail’s typical customer is a larger
enterprise, they weren’t very familiar with the cPanel interface that EMWD
(like a lot of smaller ISPs) employs, or working with WordPress, so they
had a learning curve too.

The team that helped me was very patient, which was great because I did
need a lot of hand-holding (in the form of JoinMe meetings and screen
sharing sessions) to walk me through the various processes. But what this
demonstrated to me is how ingrained using email for various tasks can be,
even for a company of one employee.

Valimail complements Inky's Phish Fence because it is another way to
prevent phony emails from reaching your employees, and also from passing
through your email infrastructure to harm someone else. So I would urge you
to implement both technologies if you want to make an effort to reduce spam
and phishing,.You might end up fixing some other email issues across your
enterprise along the way too.

Comments are always welcome <https://blog.strom.com/wp/?p=6211>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.webinformant.tv/pipermail/webinformant_list.webinformant.tv/attachments/20171126/efadbb19/attachment-0002.html>


More information about the WebInformant mailing list