your own personal domains if you have one. So, pretty recently, um, Chrome made a change, uh, they've been driving towards, uh, securing everything on the website with TLS and they had been labeling secure sites with a little green lock, which is where the title of my

talk came from, but they just recently made an update such that non-secure websites now are explicitly labeled as not secure. They have a really cool blog post about this, this is just, uh, about, I guess at this point 3 weeks ago, um, where they wrote about how this is part of their goal towards driving to securing everything with TLS. So TLS is really

important because it's, um, basically makes sure that the integrity of the website, um, is preserved. I'm not gonna go too much into TLS, I'm assuming if you're in a nerdy talk about green locks, you know what TLS is, uh, but we're gonna sort of dive into, um, using

this for some of our own personal domains. So this is my personal domain, uh, I have had a website since, like, the early two, actually I've had a website since, like, 1995. I've had my own domain since the early 2000s and it was just running on a Linux box that I was paying space for and I really didn't touch it. If you, like, go look at it, assuming my

DNS is not horked, um, it is a super, super simple, like, plain HTML page and I kept being like, yeah, I should actually do something about it because I'm such a big TLS advocate and my own personal website is not secure. And I kept being like, well, it's kind of a pain in the neck if you have, like, a two HTML page website on a very, uh,

crufty old Linux server that you're just renting from someone. Like, this is a pain in the neck, how am I gonna do this without, uh, basically spending hours on it because I don't have hours to do. So I ended up getting a, uh, TLS certificate for my website and

we're gonna run through that quickly and then I'm gonna end up spending the bulk of this time talking about email security because that's one that was actually a little bit more difficult to, to set up. Um, so Let's Encrypt is probably the most famous way to do this. I'm actually not going to talk about that method because I host my website now on

GitHub pages which is free, which is awesome. I don't pay anything to host my little tiny, uh, HTML pages. Uh, and when I set it up, they were not yet quite support, like, officially supporting Let's Encrypt, so I use Cloudflare. So my DNS is over there. There's lots of other hosting options out there. You can use WordPress as another very common one. Um, but I like GitHub pages because I already had a GitHub account. Um, I

like GitHub desktop as a tool to push things up. This may be a little worry here. This is, uh, showing the certificate that's on my domain, um, and it's a Cloudflare one. So I'm gonna go pretty quickly through how I set this domain up. Uh, GitHub does not have

the best directions unfortunately, which is part of what drove me to do this talk. This entire experience was a lot of trial and error, and I'm pretty nerdy. So I wanted to sort of document my path through as I did this for people to go back, um, and try again. And if you're at GitHub, I love your service. Please, uh, make your

documentation a little bit more user-friendly. So they have a blog post, uh, where they announce the Let's Encrypt stuff, and the directions at the bottom are what I followed. They're still pretty, uh, up to date. So you start out by creating, uh, a repo, and you just name it whatever your username is. Uh, my GitHub username is wendyck. Uh,

then you check it out in local machine. I'm a big fan of GitHub desktop. I like command lines, but the desktop thing makes it very nice to see, like, the graphical diffs and everything. Uh, and you move over your files. You can see I have, like, two HTML files and a couple of images. I have, like, the world's dumbest website. This is one of the first, like, not even tricky, but, like, slightly arcane

things you have to do. You create a text file called CNAME at the root of the repo, and you're gonna check that in. Then we're gonna go to settings, and we're gonna scroll down, and we're gonna add the custom domain. Uh, you can see that GitHub

thinks that my domain is not currently working. This is why I was joking about my DNS being horked. I grabbed this screenshot this morning, so I realized I'd forgotten this step. Uh, and of course, it now thinks my site's not secure, even though it is, and the redirect is actually working. So, DNS screws up everything, even when you're trying to give a talk on, uh, TLS. Uh, it is actually still working, so I'm not sure why GitHub thinks it's not. Uh, one of the

things that tripped me up a little bit is because I'm not really a DNS person, uh, was I didn't know what the word apex domain meant. It just means a top level domain, like example.com. For me, it's wendyk.org. And I was talking about, like, apex domains, and I'm like, well, I don't know what that is, and so I don't think that I have

that, but I do. Uh, so that's just a terminology that GitHub did not really particularly define very well. Um, I thought I had, like, a subdomain, like, www.wendyk.org, but I don't because I own the domain. So, they basically are gonna tell you to point to this, here's my DNS settings, I am copying their directions

and putting it in, and boom, I have a secure website, it's pretty cool. Uh, although it will take, it took, like, 48 hours, so I have to propagate out. Um, but that is essentially how you use GitHub pages with Cloudflare, the Let's Encrypt setup is almost identical. Um, you're just creating, uh, basically that CNAME, um, and you're

telling in the setting that this is gonna be a secure one. So, email spam is a big problem. Uh, I used to work in email marketing way back in the day, um, and kinda knew what SPF was, and so forth. Uh, and I've had my domain on Google Apps, uh, since it came out, and so I was kinda lazy about this whole thing, I'm like,

surely Google is taking care of this for me, I pay them $5 a month, I just use Gmail for my domain, I've not configured a damn thing, I'm sure they're on top of this. And then, um, I kinda started thinking, like, wait, no, to use SPF, you have to set domain records, uh, and I don't think Google can go set my domain records, and I

was like, maybe I should look into this, cause maybe my email is not half as secure as I think it is, or like, my email is secure, but like, my domain could be used to spoof, and because I have a very old .org domain, it's actually somewhat valuable for spam, so I was like, I should probably take care of this, and then fell down the, uh, email security rabbit hole, it took me about 3 weeks to get this to all

work, uh, and so that frustration kinda drove wanting to do this talk, to just lay out my path through setting this up, and sort of raising awareness for people to realize that you do have to go through some of this. So we're gonna do a nice jump into 3 technologies, SPF, DKIM, and DMARC, uh, and they all work together to keep people from

spoofing your domain when they send spam. So SPF is pretty old, uh, when I worked on email marketing from like 2002 to 2006, uh, SPF came out, I wanna say maybe in the middle of that, like, it was definitely around then, this is not a new technology. It

essentially allows you to publish a DNS record that says for this particular domain, like for wendykay.org, only a handful of, uh, IP addresses can send email, if you're getting email that is from any other IP address and purports to be from this domain, you should flag it spam. Um, and also I'm gonna, I'm gonna publish these slides to my

Twitter account right afterwards, so don't worry too much about capturing the URLs, I've got a whole, like a end slide of URLs for all of you too. Um, but the problem with this is that it requires every single person who receives email to go do that look up, people are lazy, it also can be kinda brittle, um, depending on your setup,

like at the IP address that is sending email changes, it can be a problem, um, people who send email from multiple places, like if you have your company's email and then your company's also sending marketing email under that, maybe through like a mail service or so forth, you have to remember to keep these all up to date. DKIM is the second part of this, it's kinda cool, we can cryptographically send our emails without

doing a darn bit of work besides entering a DNS key. Uh, Gmail works very well with this, so if you're just using, um, Google apps in your domain, they'll help you generate the key, which you're about to walk through, um, and you publish it. And these are gonna work with DMARC, um, to basically help you, uh, prevent people from

spoofing. Um, because it's a little tricky, it's not actually super widely, uh, adopted yet, this is still somewhat niche, uh, the big providers like Gmail and so forth are using it, um, but JoeQ mail server may not yet support DKIM. This is the headers from an email I sent myself the other day and I just pulled out the DKIM, uh,

pieces of it, we can see I've got DKIM signature and xGoogle DKIM signature showing that the email was cryptographically signed. And finally, DMARC, you can think of as sort of a block and report, um, it allows you to publish a policy and to basically see what's happening with your email. You can't use DMARC until you have DKIM and SPF

setup, um, which I didn't realize when I started this, I like jumped into DMARC and I was like, okay, I don't understand what's going on here, what's happening and had to kind of back up and do the SPF and DKIM first. Uh, so this is kind of an overview of, uh, how DMARC works. Essentially, um, the receiver is doing a lot of the work

here. They basically get the email, um, they're going to go check, uh, DKIM the public key, make sure that this is working, um, they're going to verify that the SPF is set correctly, so making sure that, like, the IP address, uh, is al- that they got the email

from is allowed to send email for that domain, and then they're going to apply a DMARC policy, which is what we're going to go, uh, walk through. Um, and then they generate reports for you. You have very nice, pretty little graphs, so I've got lots of, like, nice red and green, uh, pictures of block spam coming up. If you're on G Suite, which is the Google Apps for your domain thing, uh, they have, uh, actually fairly

good, uh, support. Um, it was way better than GitHub's. And there's also this DMARC analyzer, uh, thing as a blog post that's also fairly decent that will walk you through how to do this. So this is a little bit jumping back, I mentioned I use Cloudflare for my DNS, um, so this is just showing that, uh, the place where I registered my

domain, I am pointing to Cloudflare DNS servers, and I'm going to do all my DNS settings through Cloudflare. I'm just on a Cloudflare free plan, I'm not paying them anything. Um, and there's 3 different DNS records that we're going to go set up. So first, we want to generate the DKIM, uh, public keys. This is basic public key

cryptography, um, they're going to keep the private key, I'm going to publish the public key out in my DNS records, anybody who gets email from me can go check it. And in G Suite, you basically have to sort of hop down in through a couple settings to get it. Um, you would probably want to, oh it's probably back to the G page, uh, check the G, the G

Suite help pages before you do this because they do like to basically rebuild their dashboard and this could move. Uh, as of the other day, it was still at this location. And this is what it looks like. Um, it's going to generate a TXT record value for you, and TXT is a type of DNS record that just allows you to publish a block of

text. The name of it, as we saw, is Google underscore domain key, and the value starts, uh, with this V DKIM, it goes out, um, K is RSA, we're telling it's an RSA key, and P equals, um, that whole big long string. So I go to Cloud4DNS entry, up at the top,

there's a way to add a new record, I tell it I want a text, so for name, I put in the Google underscore domain key, for value I paste in that whole big value, and voila, I have the first of my required, uh, DNS settings up here. So I'm not going to dive too

deeply into, uh, all of the DKIM tags, uh, the only required one here is P equals, which is your public key, um, if you don't have that in your DKIM, uh, TXT record, you do not have a valid one. All these other ones are optional, uh, the only ones that I'm

using, um, I believe are, uh, like the K equals RSA, and I think we have V equals, uh, so those sort of help it figure out what type, uh, key your public key is. So next we're going to do the SPF settings, um, again, Google has pretty decent help for this, it will tell you exactly the string that you need to copy and paste into your DNS

setting, you just, uh, follow their directions, copy it, paste it in, so now we have two DNS settings published. And so now we're ready to set up some DMARC domain keys, this is the fun stuff. Uh, I use DMARCian, if you have a personal domain and you don't have a lot of email volume, this is great because it's free, you're going to see later, like, my

super low email volume, I just don't send very much. If you're a company, it's also really cool, I know some folks who have enterprise accounts are very happy with it, um, you do have to pay for those, but you have to be sending a significant volume of email before you're paying for it, so if it's just your personal domain, you're probably going to be fine on the free one. They make you sign up first for a trial, and

then, um, they'll tell you if you can remain free after two weeks, like, you're probably going to remain free. Um, so they have a whole section that's going to walk you through how to add DMARC. These are all the DMARC options here. Um, the PCT is going to be the percent of messages that we're going to be doing this filtering. Some people

like to start out with just subjecting 10% of their sent email to it. I sent such little email that I just immediately sent it to 100%. The, um, RUF and RUA are used for reporting. We're going to see some, uh, reporting options that I get from DMARC-ing, so I, DMARCian, so I can see, like, very nice graphs of block to email and so forth. Um, and

if you're using DMARCian, they will tell you what email value to put in. The P is a policy. You can be doing, um, quarantining or blocking, um, or, and I'm spacing on the name of the, uh, like, don't do anything, just let me see what's being sent option. So, there's three options there. Um, this is my, uh, DMARC, uh, TXT record. I went to

Cloudflare and I put it in. So, DMARCian has fairly good directions. Um, P equals none is the, like, don't do anything, I just want to see what's out there. I, it's a good one to start with. Um, once you have, like, your reporting working, um, and

DMARCian has, like, a little issue tracker and it tells you, like, hey, things are great, it's not flagging any issues, which for me, it was flagging, like, I didn't have SPF set up at first. Then you can move to quarantine, which means, like, hey, flag these things as spam, and then once you have that, you can move to reject, which means, like, don't allow this mail to get sent. Reporting is really fun. The RUA equals

option is where you set it. You don't have to use DMARCian, you don't have to use their stuff for it. You can put your own email address in here and do your own filtering and so forth, but I'm lazy and don't want to write my own tools, I'm using the free tools. They have a really nice thing called the DMARC record wizard. Uh, my DMARC