Testing SPF, DKIM, and DMARC
If you are interested in a step-by-step implementation of SPF, DKIM, and DMARC, there’s a post for that! It’s on this site as well and it will walk you through the entire process.
https://linuxincluded.com/implementing-spf-dkim-and-dmarc/
Changelog
17Nov2017 – Originally posted
25Mar2018 – Added more SPF tests specifically for lookups
19Nov2018 – Clarified some test steps and added a site
Before you jump into testing SPF, DKIM, or DMARC, you need to verify where your authoritative DNS nameservers are. The easiest way to do this is by going to a Linux command line and performing a whois.
# whois linuxincluded.com Domain Name: LINUXINCLUDED.COM Registry Domain ID: 1985890536_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.google.com Registrar URL: http://domains.google.com … Name Server: NS-CLOUD-E1.GOOGLEDOMAINS.COM Name Server: NS-CLOUD-E2.GOOGLEDOMAINS.COM Name Server: NS-CLOUD-E3.GOOGLEDOMAINS.COM Name Server: NS-CLOUD-E4.GOOGLEDOMAINS.COM
As you can see, the DNS servers for linuxincluded.com reside at Google Domains. You can also use a website such as ICANN to determine the same information. It should provide the same information as what you found above.
There are several ways to test whether SPF, DKIM, and DMARC are implemented properly. I prefer testing in multiple locations the first go around… It’s a nice way of double-checking your work and it can be a bit of a learning experience since all the testing tools provide a little different feedback.
Testing SPF, DKIM, and DMARC Using Gmail
Gmail easily tests for SPF. Simply send an email from any address from the domain in question and click the dropdown under the sender’s name.
If there is a ‘mailed-by:’ followed by the domain name, SPF is working properly.
Gmail also easily tests for DKIM. Once again, simply send an email from any address tied to the domain and click the dropdown under the sender’s name. If there is a ‘signed-by:’ followed by your domain name, the DKIM signature is configured properly.
Gmail will also show both plus DMARC in a more verbose fashion. Click the dropdown on the right and select “Show original.”
The “Show original” window will show the results for SPF, DKIM, and DMARC.
This method also shows the complete message so one can also scroll through the actual message to find information related to SPF, DKIM, and DMARC.
Testing SPF, DKIM, and DMARC Using MX Toolbox
There are numerous websites that allow for easily testing SPF, DKIM, and DMARC. A standard website referenced frequently is MX Toolbox and more specifically, https://mxtoolbox.com/NetworkTools.aspx (below).
MX Toolbox can easily test whether a domain has an SPF record.
The same SPF test can also test whether an IP address or hostname is included in the enumerated lists.
MX Toolbox can test the validity of DKIM records. In the example below, the DNS is tested for a DKIM selector key of ‘dkim’.
The site can also perform DMARC queries. The query below is for a ‘quarantine’ domain.
Testing SPF, DKIM, and DMARC Using AppMailDev
Other websites such as http://www.appmaildev.com/ take a slightly different approach. The appmaildev website has some interesting methods to test SPF and DKIM as it requests the tester send an email to a randomly generated appmaildev.com email address. Simply go to the link below and click ‘Next Step’ to see the randomly generated email address.
http://www.appmaildev.com/en/dkim
Alternatively, the tester can upload a full email (or eml format) and the website will generate the results for all three tests. Note: You shouldn’t upload anything sensitive to begin with, but the website is not HTTPS.
http://www.appmaildev.com/en/dkimfile
Another website with similar features to AppMailDev is EmailTooler. FWIW, it’s an email marketing site, however, they state they remove collected data 30 minutes after the submission and they do not store any data permanently.
https://www.emailtooler.com/authentication-validator/
Testing SPF, DKIM, and DMARC Using The Command Line
Tests can also be performed from the Linux command line. Unfortunately, the downside to the command line methods is that the tools do not test the records for correctness, e.g. an SPF record may exist, but it may not be formatted correctly.
# dig TXT linuxincluded.com ;; ANSWER SECTION: linuxincluded.com. 3600 IN TXT "v=spf1 +mx +a ~all"
For DKIM, the tester also needs to know the selector prefix.
# dig TXT dkim._domainkey.linuxincluded.com ;; ANSWER SECTION: dkim._domainkey. linuxincluded.com. 3600 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAg/Przq+HpH7IHVFjrqgRc5i+IzlokNuX37raN7h7TmPeCO2UuWRj/2kdFByb1H3Ex0pkE1F5RCe/ATL6XFQOceIfycjX2TGWj3RWksS7b67UhSNveyhW0xPFSlTvYYs+t3h4AZdxBCi9zvassuskRKGnFenZYdvmtv+P0WSWx/ANoLPTqtIcS6TDeq281Lral" "1nmghruKkOxhbYRfbGS8QTxOKQN+MsSHK/blRuv3WnQd0NydvTVlrzKB92tvTkncLW0oCtcYxfDNs6Ox9KI/UyNJay4bQvZOmTBNVSW4wr/1N5ykU6+KVp1hdBZCg+0eBUPuddiKO7zW5j2UdDGIQIDAQAB"
# dig TXT _dmarc. linuxincluded.com ;; ANSWER SECTION: _dmarc. linuxincluded.com. 3600 IN TXT "v=DMARC1; p=none; rua=mailto:webbie@ linuxincluded.com;"
Further Testing SPF – DMARC Analyzer
Keep in mind that SPF has a 10 lookup limitation and that includes nested lookups. For example, having _spf.google.com in your SPF record turns into 3 lookups which include _netblocks.google.com, _netblocks2.google.com, and _netblocks3.google.com. This limitation is discussed a little more in more depth here: https://linuxincluded.com/implementing-spf-dkim-and-dmarc/. One other site I don’t use for all of the tests, but is really handy in certain instances is is DMARC Analyzer. If you are hitting the 10 lookup SPF limitation, then I prefer to use DMARC Analyzer as it provides a really great visual representation of how the lookups work. It also shows how the nested lookups work, which is important because those count against that magical 10 lookup count too. The DMARC Analyzer site also makes it far easier to determine how you might replace hostnames with IP addresses (or IP address ranges) to reduce the number of lookups.
https://app.dmarcanalyzer.com/dns/spf?simple=
That’s it! It’s really not as bad as you thought, huh?
Best of luck getting SPF, DKIM, and DMARC implemented in your environments!
Dallas Haselhorst has worked as an IT and information security consultant for over 20 years. During that time, he has owned his own businesses and worked with companies in numerous industries. Dallas holds several industry certifications and when not working or tinkering in tech, he may be found attempting to mold his daughters into card carrying nerds and organizing BSidesKC.
2 thoughts on “Testing SPF, DKIM, and DMARC”
I use tools to validate the SPF and DKIM implementation. A good one is https://www.emailtooler.com/authentication-validator/. You just need to send an email to the given email address and you see the result live on the website. Very simple and helpful tool!
Maybe you could link to the tool in the article. I’m sure, your readers would appreciate it.
P.S. On the website appmaildev.com I could not find the tool you described in the article. They offer only a manual approach to validate DKIM, SPF etc.
Thanks for stopping by! I clarified the test steps for appmaildev.com. I also added the site you specified after testing it. Thanks for the recommendation!