Testing SPF, DKIM, and DMARC

Testing SPF, DKIM, and DMARC

If you are interested in a step-by-step implementation of SPF, DKIM, and DMARC, there’s a post for that! It’s on this site as well and it will walk you through the entire process.

https://www.linuxincluded.com/implementing-spf-dkim-and-dmarc/

Before you jump into testing SPF, DKIM, or DMARC, you need to verify where your authoritative DNS nameservers are. The easiest way to do this is by going to a Linux command line and performing a whois.

# whois linuxincluded.com
  Domain Name: LINUXINCLUDED.COM
  Registry Domain ID: 1985890536_DOMAIN_COM-VRSN
  Registrar WHOIS Server: whois.google.com
  Registrar URL: http://domains.google.com
  …
  Name Server: NS-CLOUD-E1.GOOGLEDOMAINS.COM
  Name Server: NS-CLOUD-E2.GOOGLEDOMAINS.COM
  Name Server: NS-CLOUD-E3.GOOGLEDOMAINS.COM
  Name Server: NS-CLOUD-E4.GOOGLEDOMAINS.COM

As you can see, the DNS servers for linuxincluded.com reside at Google Domains. You can also use a website such as ICANN to determine the same information. It should provide the same information as what you found above.

https://whois.icann.org/

ICANN whois

icann nameservers

There are several ways to test whether SPF, DKIM, and DMARC are implemented properly. I prefer testing in multiple locations the first go around… It’s a nice way of double-checking your work and it can be a bit of a learning experience since all the testing tools provide a little different feedback.

Testing SPF, DKIM, and DMARC Using Gmail

Gmail easily tests for SPF. Simply send an email from any address from the domain in question and click the dropdown under the sender’s name.

Gmail checking SPF

If there is a ‘mailed-by:’ followed by the domain name, SPF is working properly.

Gmail checking spf

Gmail also easily tests for DKIM. Once again, simply send an email from any address tied to the domain and click the dropdown under the sender’s name. If there is a ‘signed-by:’ followed by your domain name, the DKIM signature is configured properly.

Gmail testing DKIM

Gmail will also show both plus DMARC in a more verbose fashion. Click the dropdown on the right and select “Show original.”

Gmail Show Original

The “Show original” window will show the results for SPF, DKIM, and DMARC.

Gmail showing spf, dkim, and dmarc settings

This method also shows the complete message so one can also scroll through the actual message to find information related to SPF, DKIM, and DMARC.

GMail headers

Testing SPF, DKIM, and DMARC Using MX Toolbox

There are numerous websites that allow for easily testing SPF, DKIM, and DMARC. A standard website referenced frequently is MX Toolbox and more specifically, https://mxtoolbox.com/NetworkTools.aspx (below).

MX Toolbox Network ToolsMX Toolbox can easily test whether a domain has an SPF record.

MX Toolbox SPF check

The same SPF test can also test whether an IP address or hostname is included in the enumerated lists.

MX toolbox SPF check based on IP address

MX Toolbox can test the validity of DKIM records. In the example below, the DNS is tested for a DKIM selector key of ‘dkim’.


MX toolbox DKIM check

The site can also perform DMARC queries. The query below is for a ‘quarantine’ domain.

MX toolbox DMARC - quarantine

Testing SPF, DKIM, and DMARC Using AppMailDev

Other websites such as http://www.appmaildev.com/ take a slightly different approach. The appmaildev website has some interesting methods to test SPF and DKIM as it requests the tester send an email to a randomly generated appmaildev.com email address.

App Mail Dev tests

Alternatively, the tester can upload a full email (or eml format) and the website will generate the results for all three tests.

appmaildev testing spf, dkim, and dmarc

Testing SPF, DKIM, and DMARC Using The Command Line

Tests can also be performed from the Linux command line. Unfortunately, the downside to the command line methods is that the tools do not test the records for correctness, e.g. an SPF record may exist, but it may not be formatted correctly.

# dig TXT linuxincluded.com
;; ANSWER SECTION:
linuxincluded.com.    3600   IN        TXT     "v=spf1 +mx +a ~all"

For DKIM, the tester also needs to know the selector prefix.

# dig TXT dkim._domainkey.linuxincluded.com
;; ANSWER SECTION:
dkim._domainkey. linuxincluded.com. 3600 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAg/Przq+HpH7IHVFjrqgRc5i+IzlokNuX37raN7h7TmPeCO2UuWRj/2kdFByb1H3Ex0pkE1F5RCe/ATL6XFQOceIfycjX2TGWj3RWksS7b67UhSNveyhW0xPFSlTvYYs+t3h4AZdxBCi9zvassuskRKGnFenZYdvmtv+P0WSWx/ANoLPTqtIcS6TDeq281Lral" "1nmghruKkOxhbYRfbGS8QTxOKQN+MsSHK/blRuv3WnQd0NydvTVlrzKB92tvTkncLW0oCtcYxfDNs6Ox9KI/UyNJay4bQvZOmTBNVSW4wr/1N5ykU6+KVp1hdBZCg+0eBUPuddiKO7zW5j2UdDGIQIDAQAB"
# dig TXT _dmarc. linuxincluded.com
 ;; ANSWER SECTION:
 _dmarc. linuxincluded.com. 3600 IN           TXT     "v=DMARC1; p=none; rua=mailto:webbie@ linuxincluded.com;"

 

That’s it! It’s really not as bad as you thought, huh?
Best of luck getting SPF, DKIM, and DMARC implemented in your environments!

 

 

Leave a Reply

Your email address will not be published.