Testing SPF, DKIM, and DMARC

Testing SPF, DKIM, and DMARC

If you are interested in a step-by-step implementation of SPF, DKIM, and DMARC, there’s a post for that! It’s on this site as well and it will walk you through the entire process.

https://www.linuxincluded.com/implementing-spf-dkim-and-dmarc/

Changelog
17Nov2017 – Originally posted
25Mar2018 – Added more SPF tests specifically for lookups
19Nov2018 – Clarified some test steps and added a site

Before you jump into testing SPF, DKIM, or DMARC, you need to verify where your authoritative DNS nameservers are. The easiest way to do this is by going to a Linux command line and performing a whois.

# whois linuxincluded.com
  Domain Name: LINUXINCLUDED.COM
  Registry Domain ID: 1985890536_DOMAIN_COM-VRSN
  Registrar WHOIS Server: whois.google.com
  Registrar URL: http://domains.google.com
  …
  Name Server: NS-CLOUD-E1.GOOGLEDOMAINS.COM
  Name Server: NS-CLOUD-E2.GOOGLEDOMAINS.COM
  Name Server: NS-CLOUD-E3.GOOGLEDOMAINS.COM
  Name Server: NS-CLOUD-E4.GOOGLEDOMAINS.COM

As you can see, the DNS servers for linuxincluded.com reside at Google Domains. You can also use a website such as ICANN to determine the same information. It should provide the same information as what you found above.

https://whois.icann.org/

ICANN whois

icann nameservers

There are several ways to test whether SPF, DKIM, and DMARC are implemented properly. I prefer testing in multiple locations the first go around… It’s a nice way of double-checking your work and it can be a bit of a learning experience since all the testing tools provide a little different feedback.

Testing SPF, DKIM, and DMARC Using Gmail

Gmail easily tests for SPF. Simply send an email from any address from the domain in question and click the dropdown under the sender’s name.

Gmail checking SPF

If there is a ‘mailed-by:’ followed by the domain name, SPF is working properly.

Gmail checking spf

Gmail also easily tests for DKIM. Once again, simply send an email from any address tied to the domain and click the dropdown under the sender’s name. If there is a ‘signed-by:’ followed by your domain name, the DKIM signature is configured properly.

Gmail testing DKIM

Gmail will also show both plus DMARC in a more verbose fashion. Click the dropdown on the right and select “Show original.”

Gmail Show Original

The “Show original” window will show the results for SPF, DKIM, and DMARC.

Gmail showing spf, dkim, and dmarc settings

This method also shows the complete message so one can also scroll through the actual message to find information related to SPF, DKIM, and DMARC.

GMail headers

Testing SPF, DKIM, and DMARC Using MX Toolbox

There are numerous websites that allow for easily testing SPF, DKIM, and DMARC. A standard website referenced frequently is MX Toolbox and more specifically, https://mxtoolbox.com/NetworkTools.aspx (below).

MX Toolbox Network ToolsMX Toolbox can easily test whether a domain has an SPF record.

MX Toolbox SPF check

The same SPF test can also test whether an IP address or hostname is included in the enumerated lists.

MX toolbox SPF check based on IP address

MX Toolbox can test the validity of DKIM records. In the example below, the DNS is tested for a DKIM selector key of ‘dkim’.


MX toolbox DKIM check

The site can also perform DMARC queries. The query below is for a ‘quarantine’ domain.

MX toolbox DMARC - quarantine

Testing SPF, DKIM, and DMARC Using AppMailDev

Other websites such as http://www.appmaildev.com/ take a slightly different approach. The appmaildev website has some interesting methods to test SPF and DKIM as it requests the tester send an email to a randomly generated appmaildev.com email address. Simply go to the link below and click ‘Next Step’ to see the randomly generated email address.

http://www.appmaildev.com/en/dkim

App Mail Dev tests

Alternatively, the tester can upload a full email (or eml format) and the website will generate the results for all three tests. Note: You shouldn’t upload anything sensitive to begin with, but the website is not HTTPS.

http://www.appmaildev.com/en/dkimfile

appmaildev testing spf, dkim, and dmarc

Another website with similar features to AppMailDev is EmailTooler. FWIW, it’s an email marketing site, however, they state they remove collected data 30 minutes after the submission and they do not store any data permanently.

https://www.emailtooler.com/authentication-validator/

Email Tooler - validate DKIM, SPF, DMARC, and SSL

Testing SPF, DKIM, and DMARC Using The Command Line

Tests can also be performed from the Linux command line. Unfortunately, the downside to the command line methods is that the tools do not test the records for correctness, e.g. an SPF record may exist, but it may not be formatted correctly.

# dig TXT linuxincluded.com
;; ANSWER SECTION:
linuxincluded.com.    3600   IN        TXT     "v=spf1 +mx +a ~all"

For DKIM, the tester also needs to know the selector prefix.

# dig TXT dkim._domainkey.linuxincluded.com
;; ANSWER SECTION:
dkim._domainkey. linuxincluded.com. 3600 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAg/Przq+HpH7IHVFjrqgRc5i+IzlokNuX37raN7h7TmPeCO2UuWRj/2kdFByb1H3Ex0pkE1F5RCe/ATL6XFQOceIfycjX2TGWj3RWksS7b67UhSNveyhW0xPFSlTvYYs+t3h4AZdxBCi9zvassuskRKGnFenZYdvmtv+P0WSWx/ANoLPTqtIcS6TDeq281Lral" "1nmghruKkOxhbYRfbGS8QTxOKQN+MsSHK/blRuv3WnQd0NydvTVlrzKB92tvTkncLW0oCtcYxfDNs6Ox9KI/UyNJay4bQvZOmTBNVSW4wr/1N5ykU6+KVp1hdBZCg+0eBUPuddiKO7zW5j2UdDGIQIDAQAB"
# dig TXT _dmarc. linuxincluded.com
 ;; ANSWER SECTION:
 _dmarc. linuxincluded.com. 3600 IN           TXT     "v=DMARC1; p=none; rua=mailto:webbie@ linuxincluded.com;"

Further Testing SPF – DMARC Analyzer

Keep in mind that SPF has a 10 lookup limitation and that includes nested lookups. For example, having _spf.google.com in your SPF record turns into 3 lookups which include _netblocks.google.com, _netblocks2.google.com, and _netblocks3.google.com. This limitation is discussed a little more in more depth here: https://www.linuxincluded.com/implementing-spf-dkim-and-dmarc/. One other site I don’t use for all of the tests, but is really handy in certain instances is is DMARC Analyzer. If you are hitting the 10 lookup SPF limitation, then I prefer to use DMARC Analyzer as it provides a really great visual representation of how the lookups work. It also shows how the nested lookups work, which is important because those count against that magical 10 lookup count too. The DMARC Analyzer site also makes it far easier to determine how you might replace hostnames with IP addresses (or IP address ranges) to reduce the number of lookups.

https://app.dmarcanalyzer.com/dns/spf?simple=

That’s it! It’s really not as bad as you thought, huh?
Best of luck getting SPF, DKIM, and DMARC implemented in your environments!

 

 

Dallas Haselhorst has worked as an IT and information security consultant for over 20 years. During that time, he has owned his own businesses and worked with companies in numerous industries. Dallas holds several industry certifications and when not working or tinkering in tech, he may be found attempting to mold his daughters into card carrying nerds and organizing BSidesKC.

2 thoughts on “Testing SPF, DKIM, and DMARC

  1. I use tools to validate the SPF and DKIM implementation. A good one is https://www.emailtooler.com/authentication-validator/. You just need to send an email to the given email address and you see the result live on the website. Very simple and helpful tool!

    Maybe you could link to the tool in the article. I’m sure, your readers would appreciate it.

    P.S. On the website appmaildev.com I could not find the tool you described in the article. They offer only a manual approach to validate DKIM, SPF etc.

Leave a Reply

Your email address will not be published.