mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-19 05:59:40 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,124 @@
|
||||
# Workflows: Implementing DMARC, DKIM, and SPF
|
||||
|
||||
## Workflow 1: Phased DMARC Deployment
|
||||
|
||||
```
|
||||
Phase 1: Discovery (Weeks 1-2)
|
||||
|
|
||||
+-- Inventory all email-sending services
|
||||
+-- Identify legitimate sources (marketing, transactional, internal)
|
||||
+-- Audit current SPF/DKIM/DMARC records
|
||||
|
|
||||
Phase 2: SPF Setup (Weeks 2-4)
|
||||
|
|
||||
+-- Create SPF record with all authorized senders
|
||||
+-- Start with ~all (soft fail) for monitoring
|
||||
+-- Test with email validation tools
|
||||
|
|
||||
Phase 3: DKIM Setup (Weeks 3-5)
|
||||
|
|
||||
+-- Generate 2048-bit RSA key pairs per sending service
|
||||
+-- Configure DKIM signing on MTA/email service
|
||||
+-- Publish public keys in DNS
|
||||
+-- Verify signatures with test emails
|
||||
|
|
||||
Phase 4: DMARC Monitor (Weeks 5-8)
|
||||
|
|
||||
+-- Deploy DMARC with p=none
|
||||
+-- Set up aggregate report (rua) processing
|
||||
+-- Monitor for 4+ weeks
|
||||
+-- Identify and fix failing legitimate sources
|
||||
|
|
||||
Phase 5: DMARC Quarantine (Weeks 9-12)
|
||||
|
|
||||
+-- Move to p=quarantine at pct=10
|
||||
+-- Gradually increase pct to 100
|
||||
+-- Monitor false positives
|
||||
|
|
||||
Phase 6: DMARC Reject (Weeks 13+)
|
||||
|
|
||||
+-- Move to p=reject at pct=10
|
||||
+-- Gradually increase to pct=100
|
||||
+-- Ongoing monitoring and maintenance
|
||||
```
|
||||
|
||||
## Workflow 2: SPF Record Construction
|
||||
|
||||
```
|
||||
START: List all email sending sources
|
||||
|
|
||||
v
|
||||
[Internal mail servers] --> ip4:x.x.x.x/y
|
||||
|
|
||||
v
|
||||
[Cloud email (Google/M365)] --> include:_spf.google.com / include:spf.protection.outlook.com
|
||||
|
|
||||
v
|
||||
[Marketing (Mailchimp, SendGrid)] --> include:servers.mcsv.net / include:sendgrid.net
|
||||
|
|
||||
v
|
||||
[Transactional (SES, Postmark)] --> include:amazonses.com / include:spf.mtasv.net
|
||||
|
|
||||
v
|
||||
[CRM (Salesforce, HubSpot)] --> include:_spf.salesforce.com / include:hubs.hubspot.com
|
||||
|
|
||||
v
|
||||
[Combine all mechanisms, ensure < 10 DNS lookups]
|
||||
|
|
||||
v
|
||||
[Add qualifier: ~all (monitor) or -all (enforce)]
|
||||
|
|
||||
v
|
||||
[Publish TXT record at domain apex]
|
||||
|
|
||||
v
|
||||
[Validate: mxtoolbox.com/spf.aspx]
|
||||
```
|
||||
|
||||
## Workflow 3: DMARC Report Analysis
|
||||
|
||||
```
|
||||
Daily DMARC aggregate reports (XML) received
|
||||
|
|
||||
v
|
||||
[Parse XML reports with process.py]
|
||||
|
|
||||
v
|
||||
[Categorize results]
|
||||
|
|
||||
+-- PASS (SPF + DKIM aligned) --> No action needed
|
||||
|
|
||||
+-- FAIL (unauthorized sender)
|
||||
| |
|
||||
| +-- Known service missing from SPF? --> Update SPF record
|
||||
| +-- Known service missing DKIM? --> Configure DKIM signing
|
||||
| +-- Unknown/suspicious sender --> Likely spoofing attempt
|
||||
| |
|
||||
| +-- Document source IPs
|
||||
| +-- Add to threat intelligence
|
||||
| +-- No SPF/DKIM changes needed (DMARC working correctly)
|
||||
|
|
||||
+-- PARTIAL PASS (SPF or DKIM only)
|
||||
|
|
||||
+-- Fix the failing mechanism
|
||||
+-- Check for forwarding/mailing list issues (consider ARC)
|
||||
```
|
||||
|
||||
## Workflow 4: Ongoing Maintenance
|
||||
|
||||
```
|
||||
Monthly:
|
||||
- Review DMARC aggregate reports for new unauthorized sources
|
||||
- Verify all third-party senders still authorized
|
||||
- Check SPF record is under 10 DNS lookup limit
|
||||
|
||||
Quarterly:
|
||||
- Rotate DKIM keys (update selector)
|
||||
- Review and update authorized sender inventory
|
||||
- Test authentication with external validation tools
|
||||
|
||||
Annually:
|
||||
- Full audit of email authentication configuration
|
||||
- Review DMARC policy strictness
|
||||
- Update documentation
|
||||
```
|
||||
Reference in New Issue
Block a user