Overview
As per organisation direction to “Ready to operate and perform as a public company” and “Strengthening our Security posture and enhancement of security maturity” it is important to strengthen our email brand posture. For alignment, it is one of InfoSec’s initiatives to strengthen email security posture by implementing DMARC* to prevent email spoofing, especially for our customers. For this exercise, we will focus on our main domain (traveloka[.]com).
Domain-based Message Authentication Reporting and Conformance (DMARC)
Who is this announcement for?
For all Engineers and Product Managers that are maintaining email operational activities to send email with traveloka[.]com domain using services other than Google Workspace (Google Mail). For example Salesforce, Amazon etc to send outgoing Emails to customers/vendors.
What do you need to do?
List out all email senders of traveloka[.]com
Ensure the list of email senders is complete so we can configure SPF and DKIM accordingly for DMARC.
Work with InfoSec and Cloud Infra to prepare the configuration change and any potential effect along with contingency plan.
We already run the analyser to find authorised senders of traveloka[.]com email. Please update the Confluence page [1] with the name of email service and a PIC if you know other email senders that are unlisted on the page.
Why is this needed?
These above mentioned records will prevent the spoofing of Traveloka domain and eliminate any unauthorised malicious actors trying to phish or spoof the Traveloka domain.
Any unlisted/undocumented email senders will cause the email to be mistakenly identified as phishing by client email services and will be rejected or put into the spam folder.
Timeline
Announcement Date:
2 May | 9 May | 16 May | 23 May | 30 May
Important Dates:
10 May 2022 - Project progress sync with relevant stakeholders.
24 May 2022 - Start configuration.
Questions/Concerns?
Please contact the InfoSec team through #tvlk-infosec-support and through Jira Service Desk [2].
Appendix
[1] Traveloka SPF & DKIM Policy Enforcement | [Action-Required]-Other-Expected-Authorised-Senders - https://29022131.atlassian.net/wiki/spaces/ENG/pages/2451997350/Traveloka+SPF+DKIM+Policy+Enforcement
[2] https://29022131.atlassian.net/servicedesk/customer/portal/141
Zeeshan Ansari, on behalf of the Information Security Team