Review: Valimail Monitor, Align And Enforce
You might recall that I have been implementing DMARC across all the domains that I own in order to increase email deliverability and to cut down, if not eliminate email spoofing via my domains. One thing that I did say at the time was that I was spending every morning looking at DMARC reports to get visibility into what was going on in relation to my domains. I specifically said this:
Now, let’s talk about the reports that I mentioned earlier. They show up in your inbox in xml format that isn’t human readable. To solve that problem, I use the MX Tools DMARC Report analyzer which makes these reports human readable. That way I have visibility into what’s going on from an email perspective. And I set aside a few minutes every day to read these reports. I admit that it’s bit time consuming. But it ensures that I don’t find out about my bad news from CNN so to speak.
Here’s the problem with that method. I am simply looking at one day at a time and one domain at a time. So I am missing out on anything that is trending for example. As in some threat actor who is spending multiple days trying to spoof my email addresses. That’s when Valimail hooked me up with Valimail Monitor. What this web based product does is that it allows users to monitor who is sending email from your domains and identify unauthorized senders. All from a single dashboard. That in turn gives you visibility as to where your good news (nobody is trying to spoof you for example) or bad news (someone is trying to spoof you, or someone inside your company is using a service that you haven’t authorized) is going to come from.
Let’s go into the weeds on this:
One of the first things that I do is to go into the dashboard and scroll through the different sections of the dashboard. DMARC status is one of the first things that usually gets my attention as that’s where I would get the first indication if anyone is spoofing me, or if I have a deliverability issue. In this case, it’s the former as seven email failed the DMARC check. That usually sends me off to the domains screen to see what is going on:
I have redacted my personal domain for privacy reasons. But it seems to be the source of the issue. Since I am a guy who likes to go down the rabbit hole on these things, let’s see why this is the case. So I am going to click the word “view” under the “Senders” column to see what’s going on.
Once I hit this screen, it becomes clear to me what’s going on. My hosting provider uses MailChannels as a proxy for all outbound mail to ensure that a bad actor who hosts with them doesn’t do anything that would cause their hosting infrastructure to be banned by other mail servers. So 100% of my email should go through there. But it’s not. It seems that some “Unidentified IPs” are trying to send mail using my personal domain.
And by clicking on “View” under the “Countries” column, it shows that what appears to be a Vietnamese based threat actor is trying to spoof my domain.
What I did from there is to increase the date range to one month to see what I found. Now Canada isn’t an issue as my email server is hosted in Montreal, and everything is clearly flowing through just fine. But I see that besides having a threat actor in Vietnam, a threat actor that appears to be in the US is also a problem as everything from that country is failing DMARC. Thus they’re trying to spoof me as well.
Now at the time that I went down this rabbit hole, I couldn’t see the exact IP addresses of the servers that were trying to spoof me. But I reached out to Valimail and they were able to get that straightened so that going forward, I can see the exact IP addresses of anything that is claiming to be sending email on my behalf. Some of them were hosted by Microsoft so I reached out to them via their abuse email address to address those threat actors. The other threat actor I have addressed by setting my domains to reject anything that fails a DMARC check.
Sidebar: Since I have done this, I have noted that phishing emails related to my domains have skyrocketed. Which illustrates that if a threat actor can’t get you using one technique, they’ll try something else.
While I continue to monitor the situation, I feel that I am in a better position to make sure that nobody is using my domains when they shouldn’t be as I have complete visibility of what is going on, and I can take action on anything that is suspect. Here’s the key part that you should pay attention to: This level of protection is free. Thus there’s really no reason why you shouldn’t use it.
Now if you need more than Valimail Monitor offers, they can help you with that. Valimail Align is the next level up from Monitor. It adds automated configuration of DKIM and SPF to allow you to get to a compliance level that satisfies Google, Yahoo, and others. It’s a great way to easily ensure that you’re in a good place when it comes to DMARC compliance.
Valimail Enforce is the top tier of what Valimail offers. It allows you to automate DMARC tasks and ensure that absolutely nothing slips through the net so to speak. For example, I set up Enforce which required me to make a number of DNS changes which are outlined here, and then I set up a MailChimp account to send emails using my business domain without telling Enforce about it. Then I waited to see what would happen next. What I found was that Enforce was able to discover the existence of MailChimp and that it was sending emails on my behalf. I was then able to add it as an authorized sender within Enforce and Enforce handed all the DNS changes in the background for me with no need to act as my own IT department to make changes to my DNS setup. It was literally a few clicks to get that done. And this is the key point. Enforce allows you to monitor every aspect of your mail setup so that you can make changes as needed, or discover email products like MailChimp for example that might be used in your organization without your knowledge. Thus if I were to put on my consultant hat on for a second, I would recommend that enterprises should head straight to Enforce as I can see that there would be a close to immediate payback in terms of security, reputation management, and cost.
Here’s the bottom line. Valimail has suite of products that I feel that any company who sends email, which is pretty much every company, should be using to ensure that their email gets to the their intended destinations, and to ensure that said companies reputation remains intact. On top of that, they will save a few bucks along the way. That’s a win on multiple fronts, which means that if you’re the guy who’s responsible for mail, DNS, and perhaps even your security stack, you need to have a look at what Valimail has to offer as in my view, this suite of products can help you in so many ways.
Leave a Reply