Series Introduction l Internal Infrastructure l Third Party Senders
Let’s re-visit our cocktail party scenario to illustrate how this third type of sender works, because who doesn’t love a good party? Someone again hands you a business card, this time with a PayPal logo on it. You ask them how they like working at PayPal, and the person says, “I don’t work for PayPal. That guy over there gave me his business card to hand to you.” That’s forwarding in the world of cocktail parties, and the same thing happens every day with email.
The two most common types of forwarders are alumni forwarding services and disposable email address services. Alumni forwarders are quite common; you graduate from college, and your alma mater gives you an email address to use after you graduate. Here’s the catch: you get an email address, but no mailbox. Instead, you tell your university your “real” email address, and they set up your alias to relay all mail sent to your alias to your “real” email address.
A disposable email address (DEA) service enables people to have unlimited single-use email addresses that all relay into to the same real mailbox. Suppose you want to read a security whitepaper offered up by a website, but they will only let you download it in exchange for your email address. You can use a DEA service to generate a unique email address just for that purpose. Three months from now, when that email address starts receiving lots of spam, you’ll know who leaked your address to the spammers and you’ll be able to disable the disposable address.
Both of these forwarding scenarios introduce challenges for email authentication. Forwarding always breaks SPF. Some forwarders simply keep the original envelope domain; these messages will fail SPF authentication. Some forwarders change the envelope address when forwarding a message. These will fail SPF authentication due to DMARC’s alignment check. Either way, SPF is not going to pass, which means we must rely on DKIM in these situations.
Most forwarders pass the message along unchanged, and the DKIM signature will validate without issue. Unfortunately, some forwarders tamper with the message headers and/or body, in which case the DKIM signature will no longer validate. At Agari, we refer to these as “broken forwarders” or “sloppy forwarders”. Messages relayed through a broken forwarder will fail DMARC, and will be subject to quarantine or rejection if you’ve implemented a policy other than p=none.
How can you tell if a message has failed authentication due to a “broken forwarder”? If you are an Agari customer it’s easy. Simply use our IP Information tool to see what domains we see emanating from that IP; most forwarders will send email from dozens if not hundreds of domains.
Next week we will take a look at the final and definitely scariest type of sender: the malicious attacker.
The Fours Types of Senders: Forwarders
Posted on November 25, 2014