How to use ANTISPOOFING with proofpoint essentials

Created by Yves Lacombe, Modified on Wed, 3 Feb, 2021 at 11:51 AM by Yves Lacombe

SituationYou want to prevent malicious actors from sending spoofed messages.
Solution

See below for information on:

  • What are DMARC, DKIM, and SPF?
  • How do I enable inbound anti-spoofing policies?

 

What Are Anti-Spoofing Policies?

 

Anti-spoofing policies help prevent malicious senders from impersonating trusted domains, like those owned by banks, government, or your suppliers. Proofpoint Essentials uses a combination of SPF, DKIM, and DMARC to detect and stop spoofed messages.

What Is SPF?

Sender Policy Framework (SPF) allows mail administrators to publicly identify legitimate sources of messages from their domain. SPF policies consist of a combination of IP addresses, hostnames, and inclusions of other domains' SPF policies. When Proofpoint Essentials receives a message, it checks to see if an SPF policy is published for the sending domain. If so, it identifies whether or not the sender is authorized to send on the domain's behalf.

What Is DKIM?

DomainKeys Identified Mail (DKIM) allows mail administrators to cryptographically sign outbound messages from their domain, which proves that the message originated from the domain owner’s infrastructure and that the message was not materially altered in transit. When Proofpoint Essentials receives a DKIM-signed messages, it retrieves the sending domain's public key using DNS, and validates that the signature is correct and that the message hasn't been tampered with.

What Is DMARC?

Domain-based Message Authentication, Reporting & Conformance (DMARC) builds on top of SPF and DKIM protocols, adding the ability specify a recommended policy to receivers and it provides reports back to the domain owner to help them measure the accuracy and completeness of their spoofing policies.

How Do I Enable Inbound Anti-Spoofing Policies?

Each domain that sends email can be individually configured to sign outbound messages with DKIM. To enable the feature, you will need to create a new signing key, add the public key to your DNS zone, and verify that its been added correctly.

Enabling The Anti-Spoofing Module

  1. Navigate to Administration > Account Management > Features
  2. Check the box labeled 'Enable Anti-Spoofing Policies'.
  3. Proofpoint's best practice anti-spoofing policies are automatically enabled.

How Do I Change Inbound Anti-Spoofing Policies?

Under Security Settings > Malicious Content > Anti-Spoofing, there are three separate policies available to configure. For each policy a list of exceptions can be created to exclude individual domains from anti-spoofing policies.



Inbound DMARC

The default policy is "Allow the sending domain's DMARC policy to determine whether or not to block messages. (Recommended)". If the sending domain has a published DMARC policy, this will prevent unauthorized senders from spoofing the foreign domain.

If "Ignore the sending domain's DMARC policy, but log the result" is chosen, messages that fail the DMARC check will be passed through the system. The result will be logged in the Mail Log and in the message's header. 

Inbound SPF And Inbound DKIM

If a DMARC policy is not present, but an SPF policy exists or a message has been signed with DKIM, these policies will apply. There are three results which can be acted on:

ConditionDescriptionDefault Action
FailureThe message has failed the SPF or DKIM check. This indicates that the message has been spoofed.Quarantine
Temporary ErrorAn transient error occurred during the retrieval of the foreign domain's SPF policy or DKIM key in DNS.Take no action
Permanent ErrorAn error occurred while parsing the foreign domain's SPF policy or DKIM key in DNS. This means that the record is malformed in some way.Quarantine

Three actions are available:

  • Quarantine - prevents the message from being delivered to its intended recipient
  • Take no action - allows the message to continue to be processed
  • Tag subject line with text - prepends the supplied text to the message's subject line



NEW INFORMATION AS OF 2021-02-23 below



What happens to those messages caught by the AntiSpoofing system?


Messages will be caught as "FRAUD"




Those messages can only be released by someone with Admin Privileges


You can search the message log and filter by type:


 



IOnside the message log, when you click on the details link, you will see on fraudulent emails what category caught it (ie: DKIM, DMARC, SPF) example:


 





THREAT DASHBOARD


The starting dashboard will now reflect the number of messages caught by the Anti-Spoofing mechanism categorized by hit type (SPF/DMARC/DKIM) in addition to Malicious Attachments and Viruses caught.



 





OVERALL ANTISPOOFING BEHAVIOR (DMARC vs SPF/DKIM)


The Anti-Spoofing feature will fall back to oonsidering individual SPF & DKIM results (following customer-specified action) when:

  1. Remote sender's DMARC policy is p=none
  2. Local customer's DMARC setting is "Ignore DMARC" (but SPF checking and DKIM checking is active)


DEFAULT SETTINGS when Anti-Spoofing policies feature is enabled


POLICYDefault value
DMARCEnabled
inbound DKIM -> FailureQuarantine
Inbound DKIM -> Temporary ErrorTake no Action
Inbound DKIM -> Permanent ErrorTake no Action
Inbound SPF -> FailureQuarantine
Inbound SPF -> Temporary ErrorTake no Action
Inbound SPF -> Permanent errorTake no Action


Note that the above settings are the Vircom recommended settings.