creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 22:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/implementing-dmarc-dkim-spf-email-security/references/workflows.md
T

125 lines
3.1 KiB
Markdown
Raw Blame History

# Workflows: Implementing DMARC, DKIM, and SPF
## Workflow 1: Phased DMARC Deployment
```
Phase 1: Discovery (Weeks 1-2)
|
+-- Inventory all email-sending services
+-- Identify legitimate sources (marketing, transactional, internal)
+-- Audit current SPF/DKIM/DMARC records
|
Phase 2: SPF Setup (Weeks 2-4)
|
+-- Create SPF record with all authorized senders
+-- Start with ~all (soft fail) for monitoring
+-- Test with email validation tools
|
Phase 3: DKIM Setup (Weeks 3-5)
|
+-- Generate 2048-bit RSA key pairs per sending service
+-- Configure DKIM signing on MTA/email service
+-- Publish public keys in DNS
+-- Verify signatures with test emails
|
Phase 4: DMARC Monitor (Weeks 5-8)
|
+-- Deploy DMARC with p=none
+-- Set up aggregate report (rua) processing
+-- Monitor for 4+ weeks
+-- Identify and fix failing legitimate sources
|
Phase 5: DMARC Quarantine (Weeks 9-12)
|
+-- Move to p=quarantine at pct=10
+-- Gradually increase pct to 100
+-- Monitor false positives
|
Phase 6: DMARC Reject (Weeks 13+)
|
+-- Move to p=reject at pct=10
+-- Gradually increase to pct=100
+-- Ongoing monitoring and maintenance
```
## Workflow 2: SPF Record Construction
```
START: List all email sending sources
|
v
[Internal mail servers] --> ip4:x.x.x.x/y
|
v
[Cloud email (Google/M365)] --> include:_spf.google.com / include:spf.protection.outlook.com
|
v
[Marketing (Mailchimp, SendGrid)] --> include:servers.mcsv.net / include:sendgrid.net
|
v
[Transactional (SES, Postmark)] --> include:amazonses.com / include:spf.mtasv.net
|
v
[CRM (Salesforce, HubSpot)] --> include:_spf.salesforce.com / include:hubs.hubspot.com
|
v
[Combine all mechanisms, ensure < 10 DNS lookups]
|
v
[Add qualifier: ~all (monitor) or -all (enforce)]
|
v
[Publish TXT record at domain apex]
|
v
[Validate: mxtoolbox.com/spf.aspx]
```
## Workflow 3: DMARC Report Analysis
```
Daily DMARC aggregate reports (XML) received
|
v
[Parse XML reports with process.py]
|
v
[Categorize results]
|
+-- PASS (SPF + DKIM aligned) --> No action needed
|
+-- FAIL (unauthorized sender)
| |
| +-- Known service missing from SPF? --> Update SPF record
| +-- Known service missing DKIM? --> Configure DKIM signing
| +-- Unknown/suspicious sender --> Likely spoofing attempt
| |
| +-- Document source IPs
| +-- Add to threat intelligence
| +-- No SPF/DKIM changes needed (DMARC working correctly)
|
+-- PARTIAL PASS (SPF or DKIM only)
|
+-- Fix the failing mechanism
+-- Check for forwarding/mailing list issues (consider ARC)
```
## Workflow 4: Ongoing Maintenance
```
Monthly:
- Review DMARC aggregate reports for new unauthorized sources
- Verify all third-party senders still authorized
- Check SPF record is under 10 DNS lookup limit
Quarterly:
- Rotate DKIM keys (update selector)
- Review and update authorized sender inventory
- Test authentication with external validation tools
Annually:
- Full audit of email authentication configuration
- Review DMARC policy strictness
- Update documentation
```
Reference in New Issue View Git Blame Copy Permalink