Home PowerShell Script for SPF, DKIM and DMARC validation
Post
Cancel

PowerShell Script for SPF, DKIM and DMARC validation

To protect your email domain against cybercriminals it’s important that you configure SPF, DKIM and DMARC records on your email domain. As an IT Security Engineer, I do also the configuration of SPF, DKIM and DMARC records for our clients if it’s needed. Some companies having hundreds of domain names and in order to check them all at once for having proper SPF, DKIM and DMARC and DKIM records, I have configured a PowerShell script for that.

Brief explaination

SPF (Sender Policy Framework)

The SPF is placed as a DNS entry in the public DNS of the domain. This protocol is an authentication protocol, which includes a list of IP addresses and hostnames of email servers that are allowed to send email messages on behalf of the email domain. To protect to domain from improper use, such as spoofing, etc.

DKIM (DomainKeys Identified Mail)

After an email message is sent by the sender, the receiving email server can verify that the sender is who it claims to be by checking the DKIM signature placed in the header of the email message and comparing it to the public DKIM key placed on the public DNS of the sender email domain.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

The DMARC protocol is a policy protocol (sometimes it is also called a verification protocol). In my humble opinion, this protocol is the most important link in the chain to prevent abuse of an email domain. DMARC works closely with SPF and DKIM, it is very important to configure SPF and DKIM first.

A DMARC record is placed in the public DNS of an email domain. This protocol can define the policy on how strictly SPF and DKIM should be adhered to. For example, if an email message has an SPF(no-alignment), should the email message be allowed to pass or should it be blocked? And to which email address should notification be sent if someone tries to abuse your email domain. In most cases, an SPF HardFail occurs which allows the receiving email server to block the message and via the DMARC record (ruf-tag) to find out to which email address a report of possible abuse should be sent.

For more information about DMARC, I refer to https://dmarcian.com/why-dmarc/.

DomainHealthChecker

Let’s jump into the main topic of this article! I have written a PowerShell Module which can check the SPF record, DKIM record and DMARC record of a specific domain, or for multiple domains. This PowerShell Module is split into multiple functions and everything comes together in the Invoke-SpfDkimDmarc function.

You can install this module directly from the PowerShellGallery.

1
C:\> Install-Module DomainHealthChecker

Invoke-SpfDkimDmarc

This is the main function of this module. In this function, the Get-SPFRecord, Get-DKIMRecord, and Get-DMARCRecord come together and all three of the protocols are checked against the specified domain(s). For example, you can use this function in collaboration with Export-CSV to organize your output and analyze them in a convenient way.

1
2
3
4
5
6
7
8
9
10
PS C:\> Invoke-SpfDkimDmarc -Name binsec.nl

Name          : binsec.nl
SPFRecord     : v=spf1 include:_spf.transip.email -all
SpfAdvisory   : An SPF-record is configured and the policy is sufficiently strict.
DmarcRecord   : v=DMARC1; p=reject; pct=100
DmarcAdvisory : Domain has a DMARC record and your DMARC policy will prevent abuse of your domain by phishers and spammers.
DkimSelector  : selector1
DkimRecord    :
DkimAdvisory  : We couldn't find a DKIM record associated with your domain.

This function is supporting the following parameters:

  • -Name This parameter is mandatory for checking the SPF, DKIM and DMARC record for a single domain.
  • -DkimSelector This parameter is not mandatory and is used to retrieve the DKIM record with the corresponding selector.
  • -Server This parameter is not mandatory and can be used in a split DNS environment. The specified DNS Server will be queried.
  • -Path This parameter is not mandatory and can be used to retrieve a list of domains from the specified file.

Get-SPFRecord

After importing the module the Get-SPFRecord the function will also become available and can run be used as a standalone cmdlet. This function will query for the SPF record which is associated with the specified domain. This function will also check if there are one or multiple SPF records. According to RFC7208 this protocol is not supporting multiple SPF records. Only on SPF record may exist per domain. Currently, this function isn’t checking how many DNS Lookups an SPF record holds. This feature will be added in the near future. (See also issue #16 on Github).

1
2
3
4
5
PS C:\> Get-SPFRecord -Name binsec.nl

Name      SPFRecord                              SPFAdvisory
----      ---------                              -----------
binsec.nl v=spf1 include:_spf.transip.email -all An SPF-record is configured and the policy is sufficiently strict.

This function is supporting the following parameters:

  • -Name This parameter is mandatory for checking the SPF record for a single domain.
  • -Server This parameter is not mandatory and can be used in a split DNS environment. The specified DNS Server will be queried.
  • -Path This parameter is not mandatory and can be used to retrieve a list of domains from the specified file.

Get-DKIMRecord

This function is also coming available after importing the module. The Get-DKIMRecord function can be used as a standalone function. This function retrieves the DKIM record(s) for a specified domain or multiple domains. This function is default checking the DKIM record against the most commonly used DKIM selectors. The first hit will be output in the console. With the parameter -DkimSelector you can choose your own custom selector.

These most commonly used DKIM selectors that are checked:

Selector Vendor
google Google
selector1 Microsoft
selector2 Microsoft
everlytickey1 Everlytickey
everlytickey2 Everlytickey
eversrv (Deprecated selector) Everlytickey
k1 Mailchimp / Mandrill
mxvault Global Micro
dkim Hetzner
  • -name This parameter is mandatory for checking the DKIM record for a single domain.
  • -Server This parameter is not mandatory and can be used in a split DNS environment. The specified DNS Server will be queried.
  • -Path This parameter is not mandatory and can be used to retrieve a list of domains from the specified file.
  • -DkimSelector This parameter can be used to retrieve the DKIM record for a specific selector.
1
2
3
4
5
6
PS C:\> Get-DKIMRecord -Name binsec.nl | fl *

Name         : binsec.nl
DkimRecord   : {v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7b7krQw/+b1QOBkbBEW7pMNBLbb7DCEiiLM1YtM0Ekv/VgTLmdZen+m2zzaBrCpm8hnB5WogKeXJ/oE/7qzSvQFNVoOX8o5clWCL+vhnkkr+lAPOJkBJOc/asQOPc+xoPd+H86pS50gvqcJy8m0dXAp+aX62Zc2z6DDCsXl4u8QIDAQAB; n=1024,1494259634,1,  510157234}
DkimSelector : k1
DKIMAdvisory : DKIM-record found.

Get-DMARCRecord

This function is also coming available after importing the module. The Get-DMARCRecord function can be used as a standalone function. This function retrieves the DMARC record of the specified domain or multiple domains.

This function is supporting the following parameters:

  • -Name This parameter is mandatory for checking the DKIM record for a single domain.
  • -Server This parameter is not mandatory and can be used in a split DNS environment. The specified DNS Server will be queried.
1
2
3
4
5
PS C:\> Get-DMARCRecord -Name binsec.nl

Name      DmarcRecord                 DmarcAdvisory
----      -----------                 -------------
binsec.nl v=DMARC1; p=reject; pct=100 Domain has a DMARC record and your DMARC policy will prevent abuse of your domain by phishers and spammers.

Do you have any questions or additions regarding this module, please let me know!

References

This post is licensed under CC BY 4.0 by the author.