To protect your email domain against cybercriminals it’s important that you configure SPF, DKIM and DMARC records on your email domain. As an IT Security Engineer, I do also the configuration of SPF, DKIM and DMARC records for our clients if it’s needed. Some companies having hundreds of domain names and in order to check them all at once for having proper SPF, DKIM and DMARC and DKIM records, I have configured a PowerShell script for that.
Brief explaination
SPF (Sender Policy Framework)
The SPF is placed as a DNS entry in the public DNS of the domain. This protocol is an authentication protocol, which includes a list of IP addresses and hostnames of email servers that are allowed to send email messages on behalf of the email domain. To protect to domain from improper use, such as spoofing, etc.
DKIM (DomainKeys Identified Mail)
After an email message is sent by the sender, the receiving email server can verify that the sender is who it claims to be by checking the DKIM signature placed in the header of the email message and comparing it to the public DKIM key placed on the public DNS of the sender email domain.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
The DMARC protocol is a policy protocol (sometimes it is also called a verification protocol). In my humble opinion, this protocol is the most important link in the chain to prevent abuse of an email domain. DMARC works closely with SPF and DKIM, it is very important to configure SPF and DKIM first.
A DMARC record is placed in the public DNS of an email domain. This protocol can define the policy on how strictly SPF and DKIM should be adhered to. For example, if an email message has an SPF(no-alignment), should the email message be allowed to pass or should it be blocked? And to which email address should notification be sent if someone tries to abuse your email domain. In most cases, an SPF HardFail occurs which allows the receiving email server to block the message and via the DMARC record (ruf-tag) to find out to which email address a report of possible abuse should be sent.
For more information about DMARC, I refer to https://dmarcian.com/why-dmarc/.
DomainHealthChecker
Let’s jump into the main topic of this article! I have written a PowerShell Module which can check the SPF record, DKIM record and DMARC record of a specific domain, or for multiple domains. This PowerShell Module is split into multiple functions and everything comes together in the Invoke-SpfDkimDmarc function.
You can install this module directly from the PowerShellGallery.
1
C:\> Install-Module DomainHealthChecker
Invoke-SpfDkimDmarc
This is the main function of this module. In this function, the Get-SPFRecord
, Get-DKIMRecord
, and Get-DMARCRecord
come together and all three of the protocols are checked against the specified domain(s). For example, you can use this function in collaboration with Export-CSV to organize your output and analyze them in a convenient way.
1
2
3
4
5
6
7
8
9
10
PS C:\> Invoke-SpfDkimDmarc -Name binsec.nl
Name : binsec.nl
SPFRecord : v=spf1 include:_spf.transip.email -all
SpfAdvisory : An SPF-record is configured and the policy is sufficiently strict.
DmarcRecord : v=DMARC1; p=reject; pct=100
DmarcAdvisory : Domain has a DMARC record and your DMARC policy will prevent abuse of your domain by phishers and spammers.
DkimSelector : selector1
DkimRecord :
DkimAdvisory : We couldn't find a DKIM record associated with your domain.
This function is supporting the following parameters:
-Name
This parameter is mandatory for checking the SPF, DKIM and DMARC record for a single domain.-DkimSelector
This parameter is not mandatory and is used to retrieve the DKIM record with the corresponding selector.-Server
This parameter is not mandatory and can be used in a split DNS environment. The specified DNS Server will be queried.-Path
This parameter is not mandatory and can be used to retrieve a list of domains from the specified file.
Get-SPFRecord
After importing the module the Get-SPFRecord
the function will also become available and can run be used as a standalone cmdlet. This function will query for the SPF record which is associated with the specified domain. This function will also check if there are one or multiple SPF records. According to RFC7208 this protocol is not supporting multiple SPF records. Only on SPF record may exist per domain. Currently, this function isn’t checking how many DNS Lookups an SPF record holds. This feature will be added in the near future. (See also issue #16 on Github).
1
2
3
4
5
PS C:\> Get-SPFRecord -Name binsec.nl
Name SPFRecord SPFAdvisory
---- --------- -----------
binsec.nl v=spf1 include:_spf.transip.email -all An SPF-record is configured and the policy is sufficiently strict.
This function is supporting the following parameters:
-Name
This parameter is mandatory for checking the SPF record for a single domain.-Server
This parameter is not mandatory and can be used in a split DNS environment. The specified DNS Server will be queried.-Path
This parameter is not mandatory and can be used to retrieve a list of domains from the specified file.
Get-DKIMRecord
This function is also coming available after importing the module. The Get-DKIMRecord
function can be used as a standalone function. This function retrieves the DKIM record(s) for a specified domain or multiple domains. This function is default checking the DKIM record against the most commonly used DKIM selectors. The first hit will be output in the console. With the parameter -DkimSelector
you can choose your own custom selector.
These most commonly used DKIM selectors that are checked:
Selector | Vendor |
---|---|
selector1 | Microsoft |
selector2 | Microsoft |
everlytickey1 | Everlytickey |
everlytickey2 | Everlytickey |
eversrv (Deprecated selector) | Everlytickey |
k1 | Mailchimp / Mandrill |
mxvault | Global Micro |
dkim | Hetzner |
-name
This parameter is mandatory for checking the DKIM record for a single domain.-Server
This parameter is not mandatory and can be used in a split DNS environment. The specified DNS Server will be queried.-Path
This parameter is not mandatory and can be used to retrieve a list of domains from the specified file.-DkimSelector
This parameter can be used to retrieve the DKIM record for a specific selector.
1
2
3
4
5
6
PS C:\> Get-DKIMRecord -Name binsec.nl | fl *
Name : binsec.nl
DkimRecord : {v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7b7krQw/+b1QOBkbBEW7pMNBLbb7DCEiiLM1YtM0Ekv/VgTLmdZen+m2zzaBrCpm8hnB5WogKeXJ/oE/7qzSvQFNVoOX8o5clWCL+vhnkkr+lAPOJkBJOc/asQOPc+xoPd+H86pS50gvqcJy8m0dXAp+aX62Zc2z6DDCsXl4u8QIDAQAB; n=1024,1494259634,1, 510157234}
DkimSelector : k1
DKIMAdvisory : DKIM-record found.
Get-DMARCRecord
This function is also coming available after importing the module. The Get-DMARCRecord
function can be used as a standalone function. This function retrieves the DMARC record of the specified domain or multiple domains.
This function is supporting the following parameters:
-Name
This parameter is mandatory for checking the DKIM record for a single domain.-Server
This parameter is not mandatory and can be used in a split DNS environment. The specified DNS Server will be queried.
1
2
3
4
5
PS C:\> Get-DMARCRecord -Name binsec.nl
Name DmarcRecord DmarcAdvisory
---- ----------- -------------
binsec.nl v=DMARC1; p=reject; pct=100 Domain has a DMARC record and your DMARC policy will prevent abuse of your domain by phishers and spammers.
Do you have any questions or additions regarding this module, please let me know!