PSA: Protect Your Email with DMARC

In the last few months, I’ve seen an uptick in spoofed emails being sent with my own personal email domain. Not only is this extremely annoying, but more problematic is that recipients receive spam and phishing emails from what seems to be my personal mail account, simply by spoofing the from address. I don’t know why domain and email address has been “chosen” for this, but I guess this is fallout from the LinkedIn breach way back in 2012.

I didn’t think there was much I could do about this, but a recent tweet by my friend Per Thorsheim sent me down the rabbit hole.

So, obviously there are options available to me that I was completely unaware of. I haven’t managed any public facing email services for 6-7 years, so I’ve not kept up with whatever has been happening in that particular space. Also, my personal email domain has been hosted by Google since 2008, so I haven’t really managed that either. Set and forget, right? Well, not quite.

So, what is this DMARC thing? It stands for Domain-based Message Authentication, Reporting & Conformance, and is a way to try and validate that emails from a given domain is being sent using one of the valid mail servers configured for that domain. In order to be able to use DMARC, you first need to first have Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) configured for you domain.

Here are the resources I used to get all of this configured for my domain:

  1. Configure SPF records to work with G Suite
  2. Authenticate email with DKIM
  3. Add a DMARC record

Less than 24 hours after configuring everything, I received my first DMARC Aggregate Report which is basically an XML file showing what has been going on.

Since this file is a bit hard to read on it’s own, I uploaded it to DMARC Analyzer, and even though I knew a lot of email was being send with my email address as the reply to address, I was quite surprised to see that in less then 24 hours after I set up the DMARC DNS records, a total of 295 emails had been rejected by mail servers all over the world, most of them sent from mail servers in Vietnam. I do not send 295 emails a day with my personal email account, and absolutely none of them from Vietnam. In fact, during the time-frame of this initial aggregate report, I sent zero emails – as seen in the screenshot from the report.

I have now configured my DMARC DNS txt records to send emails directly to  DMARC Analyzer, and I’m looking forward to seeing how these numbers add up over time. I’m currently on a free trial plan, and looking to evaluate which of the available DMARC Analyzers out there I want to use permanently.

At least now receiving email servers have a fighting chance of rejecting fake emails from my domain, since it’s now possible to verify that they are sent through a valid source.

Even if you don’t have problems with someone spoofing your email addresses, please spend 10 minutes configuring this for your domain as well. You never know when something like this might occur, and it’s better to build your defences before you get attacked. That way you stand a chance of stopping it before it gets as ugly as it did in my case.

And Per, you are a gentleman and a scholar. Even if I did manage to investigate and set this up on my own, cake and coffee is still on me!

Accountability 101: 2017 — You Better Deliver

Considering it’s mid-january 2017 already, it’s time to do my annual goal list for the new year.

My goals for 2017:

  • Get that VCAP6-DCV Design exam out of the way — I did the beta in march 2016, but missed the mark by a small margin.
  • AWS Associate Certifications — Not sure how many of the three exams I want to do yet, but I’m going to at least give the AWS Certified Solutions Architect exam a go.
  • Learn something new — This ties into the previous goal a bit, but I will try to allocate time to learning something new every month. Some times it might be tech, some times it might be soft skills. I’ve purchased a few Udemy courses with this in mind already.
  • Attend an industry conference — Most likely VMworld Barcelona in September.
  • Continue to build the SDDC practice at Proact — The foundations laid in 2016 were awesome. 2017 is the year we have to start executing and delivering on it.
  • vNinja.net — Keep posting whenever I feel like it, but try to keep the “In the Bag“-series going.
  • Photography — Take up photography as a hobby again, I’ve been quiet on that front for quite a while and I miss the creative outlet it provides. With upcoming trips to Liverpool (Liverpool FC vs Arsenal) in march, Radiohead concert in Oslo in June, and the Secret Solstice festival on Iceland also in June, there should be plenty of opportunities in 2017.

I also have a few other personal goals for 2017 that are not listed here, but I’ll keep myself accountable for those as well. Some of them were posted in my 2016 review post:

  • I need to get better at planning things out, not just adding a todo item and think that somehow magically makes you more productive. Having a lot of todo items doesn’t really help, unless you plan out how to accomplish them. This is one thing I aim on improving in 2017; breaking bigger tasks into smaller ones to make them manageable and attainable.
  • Clearer focus. This is a continuation of the previous point, but must get better at channeling energy into the tasks at hand, not on everything all at once. Set up time slots, and use them.
  • Get more sleep. I sleep way to little, and that needs to change drastically.

So, bring it on 2017. I think I’m ready for my closeup now.

Hindsight is 20/20: Evaluating 2016

Back in February 2016 I published my goals for 2016, and it’s time to review that list:

  • Shake things up a bit – Go big or go home.
    This one is easy, in April 2016 I moved from EVRY to Proact, with a clear mission statement: Build and develop Norways best SDDC team. As is always the case when changing positions and companies, a lot of time is spent on getting to know the new organisation but we’re getting there.
    More news on this in 2017, but things are looking good going forward. We’ve built a solid foundation in 2016!
    Score: 8/10 
  • Get VCIX certified
    This was a miserable failure. I sat the 3V0-622: VMware Certified Advanced Professional 6 – Data Center Virtualization Design Beta Exam in march, but failed it. It was close (I just recently got my score report!), but no sigar. Due to lots of other time consuming things going on in 2016, I’ve not had a second attempt at it yet.
    Score: 2/10 
  • Keep vSoup on track
    Another failure, 3 published podcasts in 2016, not even close to the monthly target. We’ve been doing the vSoup podcast since 2011, and a lot of things have changed for all three of us. Not sure how 2017 looks in the regard either.
    Score: 2/10

  • VMUG
    The norwegian VMUG is still healthy, but I haven’t been able to contribute as much as I’ve wanted in 2016, also due to time constraints.
    Score: 5/10

  • Attend an international industry conference
    I did get to attend VMworld in Barcelona in 2016, which was awesome after missing out last year.
    Score: 10/10

  • Code something
    Nope, not this year. Too much other stuff on my plate. I haven’t made any real code, but I’ve developed a lot of other stuff that will come in handy in 2017 (related to the top entry in this list), but nothing that really qualifies as code.
    Score: 0/10

So, all in all that gives me a personal score of 28 of a possible 60. Wow, that’s pretty bad. Not quite what I had in mind for 2016, but I’m very that my top-most item got an 8. That one should be weighted higher than the rest anyway.
Sure, I can “blame” some of the lack of progress on a few of these items on the role/employer change, but not all of it — some of it is purely a personal lack of ability to power through.

2016 has taught me a few valuable lessons:
  • I need to get better at planning things out, not just adding a todo item and thing that magically makes you more productive. Having a lot of todo items doesn’t really help, unless you plan out how to accomplish them. This is one thing I aim on improving in 2016; breaking bigger tasks into smaller ones to make them manageable and attainable.
  • Clearer focus. This ties into the previous point, but must get better at channeling energy into the tasks at hand, not on everything all at once. Set up time slots, and use them, for the tasks that needs to be done.
  • I sleep way to little, and that needs to change drastically.

Now it’s time to carve out and publish the plan for 2017. Let’s see if I’ve actually learned anything at all…