mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-13 19:05:17 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,62 @@
|
||||
# Standards & References: DMARC, DKIM, and SPF Email Security
|
||||
|
||||
## RFC Standards
|
||||
- **RFC 7208 (SPF)**: Sender Policy Framework - authorizing sending hosts via DNS
|
||||
- **RFC 6376 (DKIM)**: DomainKeys Identified Mail Signatures
|
||||
- **RFC 7489 (DMARC)**: Domain-based Message Authentication, Reporting and Conformance
|
||||
- **RFC 8301**: Cryptographic Algorithm and Key Usage Update to DKIM (mandates RSA 2048-bit minimum)
|
||||
- **RFC 8616**: Email Authentication for Internationalized Mail
|
||||
- **RFC 8617 (ARC)**: Authenticated Received Chain - preserving authentication through forwarding
|
||||
- **RFC 7960**: Interoperability Issues between DMARC and Indirect Email Flows
|
||||
- **RFC 6591**: Authentication Failure Reporting Using ARF
|
||||
- **RFC 8601**: Authentication-Results header field
|
||||
|
||||
## NIST Guidelines
|
||||
- **NIST SP 800-177 Rev.1**: Trustworthy Email - comprehensive email security deployment guide
|
||||
- Section 4.3: Sender Policy Framework
|
||||
- Section 4.4: DKIM
|
||||
- Section 4.5: DMARC
|
||||
- **NIST SP 800-45 Ver.2**: Guidelines on Electronic Mail Security
|
||||
|
||||
## Government Mandates
|
||||
- **BOD 18-01 (CISA/DHS)**: Binding Operational Directive requiring all federal agencies to implement DMARC p=reject
|
||||
- **UK NCSC Mail Check**: Mandates DMARC for government domains
|
||||
- **Australian ASD Essential Eight**: DMARC listed as a mitigation strategy
|
||||
|
||||
## MITRE ATT&CK
|
||||
- **T1566**: Phishing (all sub-techniques)
|
||||
- **T1586.002**: Compromise Accounts: Email Accounts
|
||||
- **T1585.002**: Establish Accounts: Email Accounts
|
||||
|
||||
## Industry Best Practices
|
||||
- **M3AAWG DMARC Training Series**: Messaging Anti-Abuse Working Group deployment guide
|
||||
- **DMARC.org Implementation Guide**: Step-by-step deployment methodology
|
||||
- **Google Email Authentication Requirements (2024)**: Bulk senders must have SPF, DKIM, and DMARC
|
||||
|
||||
## SPF Syntax Reference
|
||||
|
||||
| Mechanism | Description | Example |
|
||||
|---|---|---|
|
||||
| `ip4:` | IPv4 address/range | `ip4:192.168.1.0/24` |
|
||||
| `ip6:` | IPv6 address/range | `ip6:2001:db8::/32` |
|
||||
| `include:` | Include domain SPF | `include:_spf.google.com` |
|
||||
| `a` | Domain A record IPs | `a:mail.example.com` |
|
||||
| `mx` | Domain MX record IPs | `mx` |
|
||||
| `redirect=` | Use another domain's SPF | `redirect=_spf.example.com` |
|
||||
| `-all` | Hard fail | Reject unauthorized |
|
||||
| `~all` | Soft fail | Mark but deliver |
|
||||
| `?all` | Neutral | No assertion |
|
||||
|
||||
## DMARC Tag Reference
|
||||
|
||||
| Tag | Required | Description | Values |
|
||||
|---|---|---|---|
|
||||
| `v` | Yes | Version | `DMARC1` |
|
||||
| `p` | Yes | Policy | `none`, `quarantine`, `reject` |
|
||||
| `rua` | No | Aggregate report URI | `mailto:reports@example.com` |
|
||||
| `ruf` | No | Forensic report URI | `mailto:forensic@example.com` |
|
||||
| `pct` | No | Percentage of messages | `0-100` (default 100) |
|
||||
| `sp` | No | Subdomain policy | `none`, `quarantine`, `reject` |
|
||||
| `adkim` | No | DKIM alignment | `r` (relaxed), `s` (strict) |
|
||||
| `aspf` | No | SPF alignment | `r` (relaxed), `s` (strict) |
|
||||
| `fo` | No | Failure reporting | `0`, `1`, `d`, `s` |
|
||||
@@ -0,0 +1,124 @@
|
||||
# Workflows: Implementing DMARC, DKIM, and SPF
|
||||
|
||||
## Workflow 1: Phased DMARC Deployment
|
||||
|
||||
```
|
||||
Phase 1: Discovery (Weeks 1-2)
|
||||
|
|
||||
+-- Inventory all email-sending services
|
||||
+-- Identify legitimate sources (marketing, transactional, internal)
|
||||
+-- Audit current SPF/DKIM/DMARC records
|
||||
|
|
||||
Phase 2: SPF Setup (Weeks 2-4)
|
||||
|
|
||||
+-- Create SPF record with all authorized senders
|
||||
+-- Start with ~all (soft fail) for monitoring
|
||||
+-- Test with email validation tools
|
||||
|
|
||||
Phase 3: DKIM Setup (Weeks 3-5)
|
||||
|
|
||||
+-- Generate 2048-bit RSA key pairs per sending service
|
||||
+-- Configure DKIM signing on MTA/email service
|
||||
+-- Publish public keys in DNS
|
||||
+-- Verify signatures with test emails
|
||||
|
|
||||
Phase 4: DMARC Monitor (Weeks 5-8)
|
||||
|
|
||||
+-- Deploy DMARC with p=none
|
||||
+-- Set up aggregate report (rua) processing
|
||||
+-- Monitor for 4+ weeks
|
||||
+-- Identify and fix failing legitimate sources
|
||||
|
|
||||
Phase 5: DMARC Quarantine (Weeks 9-12)
|
||||
|
|
||||
+-- Move to p=quarantine at pct=10
|
||||
+-- Gradually increase pct to 100
|
||||
+-- Monitor false positives
|
||||
|
|
||||
Phase 6: DMARC Reject (Weeks 13+)
|
||||
|
|
||||
+-- Move to p=reject at pct=10
|
||||
+-- Gradually increase to pct=100
|
||||
+-- Ongoing monitoring and maintenance
|
||||
```
|
||||
|
||||
## Workflow 2: SPF Record Construction
|
||||
|
||||
```
|
||||
START: List all email sending sources
|
||||
|
|
||||
v
|
||||
[Internal mail servers] --> ip4:x.x.x.x/y
|
||||
|
|
||||
v
|
||||
[Cloud email (Google/M365)] --> include:_spf.google.com / include:spf.protection.outlook.com
|
||||
|
|
||||
v
|
||||
[Marketing (Mailchimp, SendGrid)] --> include:servers.mcsv.net / include:sendgrid.net
|
||||
|
|
||||
v
|
||||
[Transactional (SES, Postmark)] --> include:amazonses.com / include:spf.mtasv.net
|
||||
|
|
||||
v
|
||||
[CRM (Salesforce, HubSpot)] --> include:_spf.salesforce.com / include:hubs.hubspot.com
|
||||
|
|
||||
v
|
||||
[Combine all mechanisms, ensure < 10 DNS lookups]
|
||||
|
|
||||
v
|
||||
[Add qualifier: ~all (monitor) or -all (enforce)]
|
||||
|
|
||||
v
|
||||
[Publish TXT record at domain apex]
|
||||
|
|
||||
v
|
||||
[Validate: mxtoolbox.com/spf.aspx]
|
||||
```
|
||||
|
||||
## Workflow 3: DMARC Report Analysis
|
||||
|
||||
```
|
||||
Daily DMARC aggregate reports (XML) received
|
||||
|
|
||||
v
|
||||
[Parse XML reports with process.py]
|
||||
|
|
||||
v
|
||||
[Categorize results]
|
||||
|
|
||||
+-- PASS (SPF + DKIM aligned) --> No action needed
|
||||
|
|
||||
+-- FAIL (unauthorized sender)
|
||||
| |
|
||||
| +-- Known service missing from SPF? --> Update SPF record
|
||||
| +-- Known service missing DKIM? --> Configure DKIM signing
|
||||
| +-- Unknown/suspicious sender --> Likely spoofing attempt
|
||||
| |
|
||||
| +-- Document source IPs
|
||||
| +-- Add to threat intelligence
|
||||
| +-- No SPF/DKIM changes needed (DMARC working correctly)
|
||||
|
|
||||
+-- PARTIAL PASS (SPF or DKIM only)
|
||||
|
|
||||
+-- Fix the failing mechanism
|
||||
+-- Check for forwarding/mailing list issues (consider ARC)
|
||||
```
|
||||
|
||||
## Workflow 4: Ongoing Maintenance
|
||||
|
||||
```
|
||||
Monthly:
|
||||
- Review DMARC aggregate reports for new unauthorized sources
|
||||
- Verify all third-party senders still authorized
|
||||
- Check SPF record is under 10 DNS lookup limit
|
||||
|
||||
Quarterly:
|
||||
- Rotate DKIM keys (update selector)
|
||||
- Review and update authorized sender inventory
|
||||
- Test authentication with external validation tools
|
||||
|
||||
Annually:
|
||||
- Full audit of email authentication configuration
|
||||
- Review DMARC policy strictness
|
||||
- Update documentation
|
||||
```
|
||||
Reference in New Issue
Block a user