Ricardo van der Linden | Security Analyst

Welcome to my blog! I started blogging as a way to give back to the community by sharing knowledge. In the IT world, we’ve all faced countless uncertainties, and we grow by helping one another through shared experiences and insights. My focus is largely on email security, as it continues to be one of the main attack vectors for malicious actors.

Implementing a signed security.txt file with PGP for your website

A security.txt file is an industry standard used by organizations to provide a clear point of contact for vulnerability reporting. Adding a signed security.txt file to your website enhances credibility and ensures trust, as the signature allows others to verify its authenticity. This blog will walk you through implementing a signed security.txt file using PGP (Pretty Good Privacy). Introduction The security.txt file is typically hosted at /.well-known/security.txt on a website. It follows a standardized format to share security contact information, preferred encryption keys, and disclosure policies. However, without proper authentication, anyone could tamper with the file. A signed security.txt solves this issue by letting others verify the file’s legitimacy using your PGP key. Here’s how to create, sign, and verify a security.txt file for your website. ...

November 25, 2024 · 3 min

Enhance the visual identity of your email with BIMI

In this post, you will learn what BIMI is, how it works, and the benefits it brings to your domain, including increased trust and brand visibility. In today’s digital age, making a memorable first impression is crucial. With the increasing volume of emails, standing out in the inbox can be challenging. That’s where BIMI (Brand Indicators for Message Identification) comes in, transforming how brands interact with recipients through email. Why BIMI matters BIMI allows your brand’s logo to appear alongside your emails, providing visual trust cues to recipients. This simple addition can significantly enhance brand recognition and trust, making your communications more engaging and trustworthy. ...

October 19, 2024 · 3 min

MTA-STS Explained: A Comprehensive guide to the MTA-STS Policy

This blog post explains how an MTA-STS policy works and how to implement it on GitHub Pages. MTA-STS (Mail Transfer Agent Strict Transport Security) is a security protocol designed to improve the security of email communication by enforcing the use of TLS (Transport Layer Security) to encrypt email traffic between mail servers. It helps prevent man-in-the-middle attacks and downgrade attacks, where an attacker could intercept or tamper with email messages in transit. ...

August 23, 2024 · 6 min

Exchange Online: Configure inbound SMTP DANE with DNSSEC

In this post, you will learn how to enable and use SMTP DANE with DNSSEC in Exchange Online. While outbound SMTP DANE with DNSSEC in Exchange Online has been enabled since 2022, Microsoft is currently rolling out inbound SMTP DANE with DNSSEC in Exchange Online. In an earlier blog post, I explained how SMTP DANE with DNSSEC works together on a mail and web server. A short recap: Outbound SMTP DANE with DNSSEC sending mail server: Requests DANE TLSA records of the receiving domain’s MX record. Inbound SMTP DANE with DNSSEC receiving mail server: Requires DNSSEC and DANE TLSA records that can be requested by the sending mail server. Inbound SMTP DANE with DNSSEC benefits Authentication of TLS Certificates: SMTP DANE ensures that the TLS certificates used in email exchanges are authenticated. Reduction in Delivery Failures: By using DANE, the sending mail server can verify that the recipient’s server supports and prefers secure TLS connections. Enhance Email Reputation: Demonstrate that you comply with the latest security standards. Integrity and Authenticity of DNS Records: DNSSEC adds a layer of security to the DNS system by digitally signing DNS records. Prerequisites Before you enable inbound SMTP DANE with DNSSEC in Exchange Online for a domain, you must have added the domain as an Accepted domain and the domain status must be Healthy in the Microsoft 365 Admin Center. The current domain’s MX record must have a priority of 0 or 10 and must not have a fallback or secondary MX record. ...

July 28, 2024 · 5 min

Microsoft Defender for Office 365: Safe Attachments policies

Safe Attachments scans and evaluates attachments for malicious content before delivering messages to recipients. What you can manage with a Safe Attachments policy With a Safe Attachments policy, administrators can configure an additional layer of protection against malicious content in email attachments. It scans and evaluates attachments (Safe Attachments opens files in a virtual environment) before delivering messages to recipients. You can create a custom policy to, specify actions for unknown malware, select a quarantine policy, and configure global settings to protect files in SharePoint, OneDrive, and Teams with Safe Attachments. ...

July 12, 2024 · 2 min

Understanding the Role and Benefits of ARC Sealing

This blog post explains the role and benefits of ARC sealing. ARC (Authenticated Received Chain) is an email authentication protocol that preserves the authentication results of an email as it travels through multiple intermediaries, such as forwarding services. Using ARC helps organizations handle the complexities of email authentication, especially when emails are forwarded. ARC involves multiple servers working together based on mutual trust. ARC ensures that legitimate emails are less likely to be marked as spam or rejected, while fraudulent emails are more easily identified and filtered out. In this blog post, we will explore the basics of ARC, how it works, and the benefits it provides. ...

May 24, 2024 · 4 min

Microsoft Defender for Office 365: Hardening DKIM and DMARC configuration

Improve email security in Microsoft 365: Fine-tuning DKIM and setup DMARC for the MOERA domain. Fine-tune DKIM by frequently rotating the DKIM keys After setting up DKIM in Microsoft Defender for Office 365, it is also important to set up frequent rotation of these DKIM keys to prevent adversaries from intercepting and decrypting your cryptographic keys. Key rotation helps to minimize the risk of compromising the private keys. In Microsoft 365, you can rotate the DKIM keys for your domains to increase security. The recurrence must be every 3 months because rotating the DKIM keys every 3 months ensures a complete rotation of both selectors every 6 months. You can rotate the DKIM keys manually using the Defender portal or Exchange Online PowerShell, but it is easy to forget if you do it manually. So you should delegate this to Azure Automation by using the runbook below: ...

April 21, 2024 · 3 min

Understanding S/MIME: Enhancing Email Security

Unlocking the Power of S/MIME: This article will help you understand S/MIME and how to request, configure, and use S/MIME on your devices. What is S/MIME? In today’s digital landscape, the security of sensitive information transmitted via email is critical. One method of safeguarding email communications is through the use of S/MIME (Secure/Multipurpose Internet Mail Extensions). S/MIME is a widely adopted protocol that provides end-to-end encryption and digital signatures, ensuring the confidentiality, integrity, and authenticity of email messages. ...

April 6, 2024 · 5 min

Microsoft Defender for Office 365: Attack simulation training

With Microsoft Defender for Office 365, you can create an attack simulation training to identify vulnerable users and mitigate potential threats before they impact your organization. Think before you click Understanding the intricacies of cybersecurity is crucial in today’s digital landscape. Attack simulation training is indispensable for users as it provides hands-on experience in recognizing and defending against potential threats. This proactive approach empowers individuals to enhance their security awareness, identify vulnerabilities, and contribute to a more resilient organizational defense against cyber attacks. ...

February 3, 2024 · 8 min

DNSSEC and DANE explained

In this post, you find out how DNSSEC and DANE cooperate, and learn how to set up DANE TLSA DNS records. DNSSEC (Domain Name System Security Extensions) The domain name system (DNS) is the phone book of the Internet: it tells computers where to send and retrieve information. Unfortunately, it also accepts any address given to it, no questions asked. DNSSEC adds a security layer to this phonebook. It uses digital signatures to make sure the information in the phonebook can be trusted and hasn’t been tampered with. It’s like putting a lock on the phonebook to prevent DNS spoofing. ...

January 13, 2024 · 3 min