Blog | G5 Cyber Security

Spoofing Authentication-Results: OpenDMARC Bypass

G5 Cyber Security

TL;DR

Attackers can sometimes bypass OpenDMARC checks by forging the Authentication-Results header. This guide explains how this works and what you can do to protect yourself.

Understanding the Problem

OpenDMARC relies on email authentication (SPF, DKIM) and reporting. The Authentication-Results header is added by receiving mail servers to show the results of these checks. If an attacker can manipulate this header *before* your DMARC record is evaluated, they can trick systems into believing a spoofed email is legitimate.

How Attackers Forge Authentication-Results

The key vulnerability lies in how some mail servers handle headers. If the receiving server allows modification of existing headers (or adds them without strict checks), an attacker can insert or alter Authentication-Results entries to pass DMARC.

Steps to Protect Against Authentication-Results Spoofing

  1. Check Your Mail Server Configuration: This is the most important step. Ensure your mail server doesn’t allow arbitrary header modification by external sources or untrusted processes.
  2. Implement Strict Header Controls: Configure your server to reject emails with invalid or unexpected Authentication-Results headers. This can be complex, as legitimate variations exist. Look for options like:
    • Header Sanitization: Remove or modify suspicious header fields.
    • DKIM Signature Verification: Always verify DKIM signatures before trusting any Authentication-Results data.
  3. Use DMARC Reporting to Monitor for Anomalies: Regularly review your DMARC reports (both aggregate and forensic). Look for:
    • Unexpected sources sending emails on behalf of your domain.
    • Authentication results that don’t match your expected SPF/DKIM configuration.
    • Large volumes of emails failing authentication but still being delivered.
  4. Consider Using a Secure Email Gateway: A dedicated email security gateway can provide more robust header validation and threat detection capabilities than standard mail servers.
  5. Implement SPF, DKIM, and DMARC Properly: Ensure your core authentication protocols are correctly configured. A strong foundation makes spoofing harder in the first place.
    • SPF: Define which servers are authorized to send email for your domain. 
      v=spf1 include:_spf.example.com ~all
    • DKIM: Digitally sign outgoing emails to verify their authenticity. 
      s=selector; t=start; d=example.com; h=sha256; i=@example.com;
    • DMARC: Tell receiving servers what to do with emails that fail SPF/DKIM checks (e.g., reject, quarantine). 
      v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:forensic-reports@example.com; adkim=r; aspf=r;
  6. Educate Users About Phishing: Even with technical controls, users can still fall victim to sophisticated phishing attacks. Train them to identify suspicious emails and report them promptly.

Limitations

Completely preventing Authentication-Results spoofing is difficult. Attackers are constantly evolving their techniques. A layered security approach – combining technical controls with user awareness – is the most effective strategy.

Exit mobile version