Initial commit - 611 cybersecurity skills across all subdomains

This commit is contained in:
mukul975
2026-02-25 10:47:44 +01:00
commit 22a7ab1462
1765 changed files with 280648 additions and 0 deletions
@@ -0,0 +1,62 @@
# Standards & References: DMARC, DKIM, and SPF Email Security
## RFC Standards
- **RFC 7208 (SPF)**: Sender Policy Framework - authorizing sending hosts via DNS
- **RFC 6376 (DKIM)**: DomainKeys Identified Mail Signatures
- **RFC 7489 (DMARC)**: Domain-based Message Authentication, Reporting and Conformance
- **RFC 8301**: Cryptographic Algorithm and Key Usage Update to DKIM (mandates RSA 2048-bit minimum)
- **RFC 8616**: Email Authentication for Internationalized Mail
- **RFC 8617 (ARC)**: Authenticated Received Chain - preserving authentication through forwarding
- **RFC 7960**: Interoperability Issues between DMARC and Indirect Email Flows
- **RFC 6591**: Authentication Failure Reporting Using ARF
- **RFC 8601**: Authentication-Results header field
## NIST Guidelines
- **NIST SP 800-177 Rev.1**: Trustworthy Email - comprehensive email security deployment guide
- Section 4.3: Sender Policy Framework
- Section 4.4: DKIM
- Section 4.5: DMARC
- **NIST SP 800-45 Ver.2**: Guidelines on Electronic Mail Security
## Government Mandates
- **BOD 18-01 (CISA/DHS)**: Binding Operational Directive requiring all federal agencies to implement DMARC p=reject
- **UK NCSC Mail Check**: Mandates DMARC for government domains
- **Australian ASD Essential Eight**: DMARC listed as a mitigation strategy
## MITRE ATT&CK
- **T1566**: Phishing (all sub-techniques)
- **T1586.002**: Compromise Accounts: Email Accounts
- **T1585.002**: Establish Accounts: Email Accounts
## Industry Best Practices
- **M3AAWG DMARC Training Series**: Messaging Anti-Abuse Working Group deployment guide
- **DMARC.org Implementation Guide**: Step-by-step deployment methodology
- **Google Email Authentication Requirements (2024)**: Bulk senders must have SPF, DKIM, and DMARC
## SPF Syntax Reference
| Mechanism | Description | Example |
|---|---|---|
| `ip4:` | IPv4 address/range | `ip4:192.168.1.0/24` |
| `ip6:` | IPv6 address/range | `ip6:2001:db8::/32` |
| `include:` | Include domain SPF | `include:_spf.google.com` |
| `a` | Domain A record IPs | `a:mail.example.com` |
| `mx` | Domain MX record IPs | `mx` |
| `redirect=` | Use another domain's SPF | `redirect=_spf.example.com` |
| `-all` | Hard fail | Reject unauthorized |
| `~all` | Soft fail | Mark but deliver |
| `?all` | Neutral | No assertion |
## DMARC Tag Reference
| Tag | Required | Description | Values |
|---|---|---|---|
| `v` | Yes | Version | `DMARC1` |
| `p` | Yes | Policy | `none`, `quarantine`, `reject` |
| `rua` | No | Aggregate report URI | `mailto:reports@example.com` |
| `ruf` | No | Forensic report URI | `mailto:forensic@example.com` |
| `pct` | No | Percentage of messages | `0-100` (default 100) |
| `sp` | No | Subdomain policy | `none`, `quarantine`, `reject` |
| `adkim` | No | DKIM alignment | `r` (relaxed), `s` (strict) |
| `aspf` | No | SPF alignment | `r` (relaxed), `s` (strict) |
| `fo` | No | Failure reporting | `0`, `1`, `d`, `s` |
@@ -0,0 +1,124 @@
# Workflows: Implementing DMARC, DKIM, and SPF
## Workflow 1: Phased DMARC Deployment
```
Phase 1: Discovery (Weeks 1-2)
|
+-- Inventory all email-sending services
+-- Identify legitimate sources (marketing, transactional, internal)
+-- Audit current SPF/DKIM/DMARC records
|
Phase 2: SPF Setup (Weeks 2-4)
|
+-- Create SPF record with all authorized senders
+-- Start with ~all (soft fail) for monitoring
+-- Test with email validation tools
|
Phase 3: DKIM Setup (Weeks 3-5)
|
+-- Generate 2048-bit RSA key pairs per sending service
+-- Configure DKIM signing on MTA/email service
+-- Publish public keys in DNS
+-- Verify signatures with test emails
|
Phase 4: DMARC Monitor (Weeks 5-8)
|
+-- Deploy DMARC with p=none
+-- Set up aggregate report (rua) processing
+-- Monitor for 4+ weeks
+-- Identify and fix failing legitimate sources
|
Phase 5: DMARC Quarantine (Weeks 9-12)
|
+-- Move to p=quarantine at pct=10
+-- Gradually increase pct to 100
+-- Monitor false positives
|
Phase 6: DMARC Reject (Weeks 13+)
|
+-- Move to p=reject at pct=10
+-- Gradually increase to pct=100
+-- Ongoing monitoring and maintenance
```
## Workflow 2: SPF Record Construction
```
START: List all email sending sources
|
v
[Internal mail servers] --> ip4:x.x.x.x/y
|
v
[Cloud email (Google/M365)] --> include:_spf.google.com / include:spf.protection.outlook.com
|
v
[Marketing (Mailchimp, SendGrid)] --> include:servers.mcsv.net / include:sendgrid.net
|
v
[Transactional (SES, Postmark)] --> include:amazonses.com / include:spf.mtasv.net
|
v
[CRM (Salesforce, HubSpot)] --> include:_spf.salesforce.com / include:hubs.hubspot.com
|
v
[Combine all mechanisms, ensure < 10 DNS lookups]
|
v
[Add qualifier: ~all (monitor) or -all (enforce)]
|
v
[Publish TXT record at domain apex]
|
v
[Validate: mxtoolbox.com/spf.aspx]
```
## Workflow 3: DMARC Report Analysis
```
Daily DMARC aggregate reports (XML) received
|
v
[Parse XML reports with process.py]
|
v
[Categorize results]
|
+-- PASS (SPF + DKIM aligned) --> No action needed
|
+-- FAIL (unauthorized sender)
| |
| +-- Known service missing from SPF? --> Update SPF record
| +-- Known service missing DKIM? --> Configure DKIM signing
| +-- Unknown/suspicious sender --> Likely spoofing attempt
| |
| +-- Document source IPs
| +-- Add to threat intelligence
| +-- No SPF/DKIM changes needed (DMARC working correctly)
|
+-- PARTIAL PASS (SPF or DKIM only)
|
+-- Fix the failing mechanism
+-- Check for forwarding/mailing list issues (consider ARC)
```
## Workflow 4: Ongoing Maintenance
```
Monthly:
- Review DMARC aggregate reports for new unauthorized sources
- Verify all third-party senders still authorized
- Check SPF record is under 10 DNS lookup limit
Quarterly:
- Rotate DKIM keys (update selector)
- Review and update authorized sender inventory
- Test authentication with external validation tools
Annually:
- Full audit of email authentication configuration
- Review DMARC policy strictness
- Update documentation
```