Penetration testers play a critical role in identifying and addressing vulnerabilities in an organization’s security posture, including email security. By understanding DMARC and how it works, penetration testers can better evaluate an organization’s email security defenses and help ensure that their clients are protected against email-based attacks.
As per the Global DMARC Adoption Report-2019, 69.6% of the top 500 European Union internet retailer domains don’t use DMARC. Contemporary penetration testing drills poorly cover email security, and this needs to change for a safer digital landscape.
Why does Email Authentication Matter?
Penetration testing is a process of attempting an authorized simulated attack on a system’s IT infrastructure, including email-sending domains, to find security vulnerabilities. There are 3 major reasons why email authentication for penetration testers matters.
Bad actors take advantage of mailboxes not being built with strong default security protocols. They trick and lure victims into sharing sensitive details by convincing them that the emails have come from legitimate sources. Together SPF, DKIM, and DMARC prevent this by allowing only authorized entities to send emails using your official domains.
Brand Image Protection
Learning email authentication for penetration testers matters as it prevents attacks attempted in your brand’s name, which consequently protects the brand image.
Enhanced Email Deliverability
Bouncing back of emails not only hampers your PR, marketing, and sales campaigns but also causes a poor email deliverability rate. Email deliverability rate is the ability to deliver emails to recipients’ inboxes and not get marked as spam or bounce back. Learn more about how email authentication helps improve email deliverability.
What are SPF, DKIM, and DMARC?
SPF, DKIM, and DMARC are email authentication protocols that verify an email sender’s authenticity to ensure it’s coming from the source it says. Domains not compliant with these can find their emails getting marked as spam or bouncing back. Not just this, but threat actors can easily impersonate them and send fraudulent messages to people asking them to share sensitive details or make financial transactions.
How Does SPF Work?
SPF or Sender Policy Framework is a way of email authentication for penetration testers where a list of servers permitted to send emails is created and added to your domain’s DNS. Any sending servers outside of the list are flagged.
How Does DKIM Work?
DKIM or DomainKeys Identified Mail enables domain owners to sign email headers that help the verification process. DKIM works on the concept of cryptography as it involves a digital signature. You receive a pair of public and private keys; the former is stored on the DNS for open access, and the latter is secretly kept with the sending server.
Receiver’s server matches both keys; if the match is successful, DKIM verification passes, otherwise, it fails. There’s a positive impact of DKIM policy on email deliverability and anti-spam measures.
How Does DMARC Work?
DMARC is short for Domain-based Message Authentication Reporting and Conformance. It works in coordination with SPF and DKIM.
DMARC is responsible for telling the receiver’s mailbox how to treat emails sent from your domain that fail SPF and/or DKIM verification checks. You can choose one of the three DMARC policies to decide this; p=none (no action is taken against emails failing authentication checks), p=quarantine (emails failing authentication checks are marked as spam), or p=reject (emails failing authentication checks bounce back).
How Penetration Testers Exploit a DMARC Misconfiguration?
As penetration testers, you can perform a simulated attack to detect email authentication vulnerabilities of a domain under observation. This is how you may proceed.
Getting Your Domain
The first step of email authentication for penetration testers includes having a domain to install a mail spoofer and send emails by impersonating a business. You can use any domain provider that suits your requirement and budget.
Setting Up the Domain
Once you have the domain, add it to the DNS panel. Delete whatever is under the ‘DNS Management’ panel to simulate an attack. This should be followed by replacing the given nameserver on the domain service provider’s panel. You’ll get an API key for the configuration file for the forthcoming steps in your drill of email authentication for penetration testers.
Setting Up the VPS
Please note that you may need to repeat this step if your VPS IPs have a poor reputation because your emails are not delivered in this situation.
Since VPS doesn’t consume a lot of resources, you can go for an inexpensive VPS and still get a properly running instance. Remember to set the hostname exactly as your domain name otherwise, you won’t be able to simulate an attack.
Use the following commands:
apt-get install git
apt-get update && apt-get install docker-compose
Next, copy the GitHub repository and go to the ‘Newly Created Directory’ where you’ve to edit the settings and add your domain and the API key.
When you’ve completed these steps, type ‘docker-compose up’ and wait for a few minutes to get your web server up.
Sending the Phishing Email
Lastly, send the phishing email to targets to get an overview of DMARC misconfiguration.
Pen Test Report
Now that you know enough about email authentication for penetration testers and how to exploit a DMARC misconfiguration, it’s important to draft an outstanding report after simulating an attack.
Here are four things to add to a professional pen test report.
1. Executive Summary for Strategic Direction
This includes a high-level view of the risks and the impact of email authentication vulnerabilities in plain English (or any other preferred language). This part is usually for executives who might not be too well-versed with technical terminologies.
2. Explanation of Technical Risks
You need to rate the intensity of the risks so that the IT team can make a swift and impactful motion to patch the email system’s loopholes.
3. Potential Impact of Vulnerability
Email security-related risks are broken into two pieces- likelihood and potential impact. It helps the remediation team prioritize fixing vulnerabilities depending on their potential impact.
4. Multiple Remediation Methods
Ensure the remediation methods suggested by you are more than just disabling the domain or email accounts altogether. Include methods like record lookups, SPF record flattening, stricter DMARC policies, etc.
Shielding Your Domain From Email Security Risks
The knowledge of email authentication for penetration testers is important for protecting digital assets from phishing and spamming. The compliance of SPF and/or DKIM is mandatory for DMARC deployment as it tells the receiver’s server how to deal with emails failing authentication checks. You can set none, quarantine, or reject policy.
PowerDMARC offers a free trial to help you get started with your DMARC journey toward a safer email environment. Reach out to us to know more.