-
Notifications
You must be signed in to change notification settings - Fork 9
Guidance Tags
Kyle Sullivan edited this page Jan 20, 2023
·
58 revisions
DMARC
Annex A of the Canadian Centre for Cyber Security's Email Domain Protection Implementation Guidance describes a four step implementation plan for proper configuration of DMARC. The following is a list of guidance tags required to attain each stage. Requirements are inherited by subsequent stages unless contradicted by new requirements.
External Links
- CCCS DMARC Implementation Guidance
- DMARC RFC
- Web Sites and Services Management Configuration Requirements
Notes:
- dmarc4 / Pct-100 also applied if pct tag is missing
| tag_id | tag_name | guidance | Assess | Deploy | Enforce | Maintain | ref_links_guide | ref_links_technical |
|---|---|---|---|---|---|---|---|---|
| dmarc1 | DMARC-GC | Government of Canada domains subject to TBS guidelines. | Web Sites and Services Management Configuration Requirements | |||||
| dmarc2 | DMARC-missing | No DMARC record found. Follow implementation guide. | - | - | - | - | A.2.3 Deploy Initial DMARC record | |
| dmarc3 | P-missing | DMARC record is missing p element. Follow implementation guide. | - | - | - | - | A.2.3 Deploy Initial DMARC record | |
| dmarc4 | P-none | DMARC policy is "none". Follow implementation guide. | + | + | - | - | A.3.5 Monitor DMARC Reports and Correct Misconfigurations | RFC 6.3. General Record Format, P |
| dmarc5 | P-quarantine | DMARC policy is "quarantine". Follow implementation guide. | - | - | + or dmarc6 | + or dmarc6 | A.4 Enforce | RFC 6.3. General Record Format, P |
| dmarc6 | P-reject | DMARC policy is "reject". Maintain deployment. | - | - | + or dmarc5 | + or dmarc5 | A.5 Maintain | RFC 6.3. General Record Format, P |
| dmarc7 | PCT-100 | Policy applies to all of mailflow | + | B.3.1 DMARC Records | RFC 6.3. General Record Format, PCT | |||
| dmarc8 | PCT-xx | Policy applies to percentage of mailflow | + | - | TBD | RFC 6.3. General Record Format, PCT | ||
| dmarc9 | PCT-invalid | Invalid percent | - | - | B.3.1 DMARC Records | RFC 6.3. General Record Format, PCT | ||
| dmarc10 | RUA-CCCS | CCCS added to Aggregate sender list | B.3.1 DMARC Records | |||||
| dmarc11 | RUF-CCCS | CCCS added to Forensic sender list | - | - | - | - | Missing from guide- need v1.1 | |
| dmarc12 | RUA-none | No RUAs defined | - | - | - | - | Owner has not configured Aggregate reporting. A.2.3 Deploy Initial DMARC record | RFC 6.3. General Record Format, RUA |
| dmarc13 | RUF-none | No RUFs defined | Owner has not configured Forensic reporting. Missing from guide- need v1.1 | RFC 6.3. General Record Format, RUF | ||||
| dmarc14 | TXT-DMARC-enabled | Verification TXT records for all 3rd party report destinations exist | TBD | |||||
| dmarc15 | TXT-DMARC-missing | Verification TXT records for some/all 3rd party report destinations missing | - | - | - | - | Contact 3rd party | RFC 7.1. Verifying External Destinations |
| dmarc16 | SP-missing | Follow implementation guide | A.2.3 Deploy Initial DMARC record | |||||
| dmarc17 | SP-none | Follow implementation guide | - | - | A.3.5 Monitor DMARC Reports and Correct Misconfigurations | RFC 6.3. General Record Format, SP | ||
| dmarc18 | SP-quarantine | Follow implementation guide | A.4 Enforce | RFC 6.3. General Record Format, SP | ||||
| dmarc19 | SP-reject | Maintain deployment | A.5 Maintain | RFC 6.3. General Record Format, SP | ||||
| dmarc20 | PCT-none-exists | PCT should be 100, or not included, if p=none | + | + | - | - | link | RFC 6.3. General Record Format, PCT |
| dmarc21 | PCT-0 | Policy applies to no part of mailflow - irregular config | - | - | - | - | B.3.1 DMARC Records | pct=0 will use the next lower level of enforcement and may result in irregular mail flow if parsed incorrectly (p=quarantine; pct=0 should be 'none' but mail agents may process messages based on Quarantine) |
| dmarc22 | CNAME-DMARC | Domain uses potentially-outsourced DMARC service | link | RFC 7.1. Verifying External Destinations | ||||
| dmarc23 | DMARC-valid | DMARC record is properly formed | + | + | + | + | Implementation Guide |
SPF
| tag_id | tag_name | guidance | Assess | Deploy | Enforce | Maintain | ref_links_guide | ref_links_technical |
|---|---|---|---|---|---|---|---|---|
| spf1 | SPF-GC | Government of Canada domains subject to TBS guidelines | Web Sites and Services Management Configuration Requirements | |||||
| spf2 | SPF-missing | Follow implementation guide | - | - | A.3.3 Deploy SPF for All Domains | |||
| spf3 | SPF-bad-path | SPF implemented in incorrect subdomain | - | - | B.1.1 SPF Records | |||
| spf4 | ALL-missing | Follow implementation guide | - | - | B.1.1 SPF Records | |||
| spf5 | ALL-allow | Follow implementation guide | - | - | - | - | B.1.1 SPF Records | |
| spf6 | ALL-neutral | Follow implementation guide | - | - | B.1.1 SPF Records | |||
| spf7 | ALL-softfail | Maintain deployment | + or spf8 | - | B.1.1 SPF Records | |||
| spf8 | ALL-hardfail | Maintain deployment | + or spf7 | + | B.1.1 SPF Records | |||
| spf9 | ALL-redirect | Uses redirect tag with All | - | - | - | - | link | RFC 6.1. redirect: Redirected Query |
| spf10 | A-without-host | Follow implementation guide | - | - | B.1.1 SPF Records | |||
| spf11 | INCLUDE-limit | More than 10 lookups - Follow implementation guide | - | - | - | - | B.1.3 DNS Lookup Limit | RFC 4.6.4. DNS Lookup Limits |
| spf12 | SPF-valid | SPF record is properly formed | + | + | + | Implementation Guide |
DKIM
| tag_id | tag_name | guidance | Assess | Deploy | Enforce | Maintain | ref_links_guide | ref_links_technical |
|---|---|---|---|---|---|---|---|---|
| dkim1 | DKIM-GC | Government of Canada domains subject to TBS guidelines | Web Sites and Services Management Configuration Requirements | |||||
| dkim2 | DKIM-missing | Follow implementation guide | - | - | A.3.4 Deploy DKIM for All Domains and Senders | |||
| dkim3 | DKIM-missing-mx-O365 | DKIM record missing but MX uses O365. Follow cloud-specific guidance | - | - | 3.2.2 Third Parties and DKIM | https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide | ||
| dkim4 | DKIM-missing-O365-misconfigured | DKIM CNAMEs do not exist, but MX points to *.onmicrosoft.com and SPF record includes O365. | - | - | 3.2.2 Third Parties and DKIM | https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide | ||
| dkim5 | P-sub1024 | Public key RSA and key length <1024 | - | - | - | - | B.2.2 Cryptographic Considerations | |
| dkim6 | P-1024 | Public key RSA and key length 1024 | + or dkim7 | + or dkim7 | B.2.2 Cryptographic Considerations | |||
| dkim7 | P-2048 | Public key RSA and key length 2048 | + or dkim6 | + or dkim6 | B.2.2 Cryptographic Considerations | |||
| dkim8 | P-4096 | Public key RSA and key length 4096 or higher | - | - | - | - | B.2.2 Cryptographic Considerations | |
| dkim9 | P-invalid | Invalid public key | - | - | - | - | B.2.1 DKIM Records | |
| dkim10 | P-update-recommended | Public key in use for longer than 1 year | - | - | A.5.3 Rotate DKIM Keys | |||
| dkim11 | DKIM-invalid-crypto | DKIM key does not use RSA | - | - | - | - | B.2.2 Cryptographic Considerations | |
| dkim12 | DKIM-value-invalid | DKIM TXT record invalid | - | - | - | - | B.2.1 DKIM Records | |
| dkim13 | T-enabled | Testing enabled | - | - | - | - | DKIM Flag t | As per RFC section 3.6.1, Testing flag t=y means Verifiers MUST treat messages as unsigned (i.e. DKIM is not enabled), so this flag should not be enabled. |
| dkim14 | P-duplicate | Public key used for multiple domains | - | - | A.3.4 Deploy DKIM for All Domains and Senders |
DMARC Aggregate
| tag_id | tag_name | guidance | ref_links_guide | ref_links_technical |
|---|---|---|---|---|
| agg1 | agg-spf-no-record | No SPF record for envelope-from domain | A.3.3 Deploy SPF for All Domains | RFC 7208 (SPF), 3 SPF Records |
| agg2 | agg-spf-invalid | SPF record is invalid | B.1 SPF | RFC 7208 (SPF), 3 SPF Records |
| agg3 | agg-spf-failed | IP address not authorized for envelope-from or header-from domain | B.1 SPF | RFC 7208 (SPF), 2.6 Reults of Evaluation |
| agg4 | agg-spf-mismatch | Header-from and envelope-from are different public domains | 2.4.1 DMARC Validation | RFC 7489 (DMARC), 3.1 Identifier Alignment |
| agg5 | agg-spf-strict | Header-from and envelope-from domains are not strictly aligned | 2.4.1 DMARC Validation | RFC 7489 (DMARC), 3.1 Identifier Alignment |
| agg6 | agg-dkim-unsigned | No DKIM signature was applied | A.3.4 Deploy DKIM for All Domains and Senders | RFC 6376 (DKIM) |
| agg7 | agg-dkim-invalid | DKIM record is invalid | B.2 DKIM | RFC 6376 (DKIM), 7.5 _domainkey DNS TXT Resource Record Tag Specifications |
| agg8 | agg-dkim-failed | DKIM signature verification failed | B.2 DKIM | RFC 6376 (DKIM), 6 Verifier Actions |
| agg9 | agg-dkim-mismatch | DKIM header and envelope-from are different public domains | 2.4.1 DMARC Validation | RFC 7489 (DMARC), 3.1 Identifier Alignment |
| agg10 | agg-dkim-strict | DKIM header and envelope-from are not strictly aligned | 2.4.1 DMARC Validation | RFC 7489 (DMARC), 3.1 Identifier Alignment |
TLS
| tag_id | tag_name | guidance | ref_links | ref_technical |
|---|---|---|---|---|
| ssl1 | TLS-GC | Government of Canada domains subject to TBS guidelines | Web Sites and Services Management Configuration Requirements | |
| ssl2 | TLS-certificate-missing | Follow implementation guide | 1.3 Websites and services hardening | See ITSP.40.062 for and approved cipher list |
| ssl3 | TLS-rc4 | Cipher list contains RC4 stream cipher | 1.6 Websites and services hardening | See ITSP.40.062 for approved an cipher list |
| ssl4 | TLS-3des | Cipher list contains 3DES symmetric-key block cipher | 1.6 Websites and services hardening | See ITSP.40.062 for an approved cipher list |
| ssl5 | TLS-acceptable-certificate | Certificate chain signed using SHA-256/SHA-384/AEAD | 1.3/1.4 Websites and services hardening | See ITSP.40.062 for certificate guidance |
| ssl6 | TLS-invalid-cipher | One or more ciphers in use are not compliant with guidelines | 1.4/1.5/1.6 Websites and services hardening | See ITSP.40.062 for an approved cipher list |
| ssl7 | Vulnerability-heartbleed | Vulnerable to Heartbleed bug | 1.4/1.5 Websites and services hardening | See ITSP.40.062 for an approved cipher list |
| ssl8 | Vulnerability-ccs-injection | Vulnerable to OpenSSL CCS Injection | 1.4/1.5 Websites and services hardening | See ITSP.40.062 for an approved cipher list |
| ssl9 | TLS-unreachable | If the domain is used for web hosting, it must be resolvable by DNS | 1.1 Websites and services hardening | |
| ssl10 | Certificate Expired | TLS certificate is expired | 1.3 Websites and services hardening | |
| ssl11 | Certificate Self-signed | TLS certificate is self-signed | 1.3 Websites and services hardening | |
| ssl12 | Certificate Revoked | TLS certificate has been revoked | 1.3 Websites and services hardening | |
| ssl13 | Certificate Revocation Unknown | Revocation status of TLS certificate could not be checked | 1.3 Websites and services hardening |
HTTPS
| tag_id | tag_name | guidance | ref_links |
|---|---|---|---|
| https1 | HTTPS-GC | Government of Canada domains subject to TBS guidelines | Web Sites and Services Management Configuration Requirements |
| https2 | HTTPS-missing | Follow implementation guide | 1.1 Websites and services hardening |
| https3 | HTTPS-downgraded | Canonical HTTPS endpoint internally redirects to HTTP. Follow guidance. | 1.1 Websites and services hardening |
| https4 | HTTPS-bad-chain | HTTPS certificate chain is invalid | 1.3 Websites and services hardening |
| https5 | HTTPS-bad-hostname | HTTPS endpoint failed hostname validation | 1.1 Websites and services hardening |
| https6 | HTTPS-not-enforced | Domain does not enforce HTTPS | 1.1 Websites and services hardening |
| https7 | HTTPS-weakly-enforced | Domain does not default to HTTPS | 1.1 Websites and services hardening |
| https8 | HTTPS-moderately-enforced | Domain defaults to HTTP, but eventually redirects to HTTPS | 1.1 Websites and services hardening |
| https9 | HSTS-missing | HTTP Strict Transport Security (HSTS) not implemented | 1.2 Websites and services hardening |
| https10 | HSTS-short-age | HTTP Strict Transport Security (HSTS) policy maximum age is shorter than one year | 1.2 Websites and services hardening |
| https11 | HSTS-preload-ready | Domain not pre-loaded by HSTS, but is pre-load ready | 1.2 Websites and services hardening |
| https12 | HSTS-not-preloaded | Domain not pre-loaded by HSTS | 1.2 Websites and services hardening |
| https13 | HTTPS-certificate-expired | HTTPS certificate is expired | 1.3 Websites and services hardening |
| https14 | HTTPS-certificate-self-signed | HTTPS certificate is self-signed | 1.3 Websites and services hardening |
| https15 | HTTPS-certificate-revoked | HTTPS certificate has been revoked | 1.3 Websites and services hardening |
| https16 | HTTPS-certificate-revocation-unknown | Revocation status of HTTPS certificate could not be checked | 1.3 Websites and services hardening |
| https17 | HTTPS-unreachable | If the domain is used for web hosting, it must be resolvable by DNS | 1.1 Websites and services hardening |
This project was built by the Treasury Board of Canada Secretariat in collaboration with the Canadian Centre for Cyber Security.