DNS Check: SPF, DKIM, DMARC, and BIMI Validation
DNS Check: SPF, DKIM, DMARC, and BIMI Validation
Description
Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting & Conformance (DMARC), and Brand Indicators for Message Identification (BIMI) are key DNS records used to authenticate email and prevent spoofing.
- SPF: Ensures that only authorized mail servers can send emails on behalf of a domain.
- DKIM: Allows the recipient to verify the sender and the message integrity via a digital signature.
- DMARC: Aligns SPF and DKIM to provide reporting and a policy for handling unauthenticated emails.
- BIMI: Adds brand logos to verified emails, improving brand recognition and trust in email communications.
Failure to properly configure these records can result in increased vulnerability to phishing attacks, email spoofing, and a reduction in email deliverability. Each check ensures that email authentication mechanisms are correctly implemented.
Recommendation
To ensure proper email authentication and mitigate the risk of phishing and email spoofing, itβs essential to configure and validate your SPF, DKIM, DMARC, and BIMI DNS records. Below are the steps to set up and verify each of these mechanisms for three different email server configurations.
### Validate SPF Record Syntax:
dig TXT example.com | grep "v=spf1"
if [ -z "$(dig +short TXT example.com | grep spf1)" ]; then
echo "No SPF record found"
fi
### Check SPF Record Length:
spf_record=$(dig TXT example.com | grep "v=spf1")
if [ ${#spf_record} -gt 255 ]; then
echo "SPF record exceeds length limit"
fi
### Verify DNS Lookup Limits:
spf_check=$(dig TXT example.com | grep "v=spf1")
lookup_count=$(echo "$spf_check" | grep -o 'include' | wc -l)
if [ "$lookup_count" -gt 10 ]; then
echo "SPF record exceeds the 10 DNS lookup limit"
fi
### Query DKIM Record:
dig TXT default._domainkey.example.com | grep "v=DKIM1"
### Validate DKIM Record Syntax:
dkim_record=$(dig TXT default._domainkey.example.com)
if [[ "$dkim_record" =~ "v=DKIM1" ]]; then
echo "Valid DKIM record"
else
echo "Invalid DKIM record syntax"
fi
### Check DKIM Key Length:
dkim_key=$(dig TXT default._domainkey.example.com | grep -o "p=.*" | cut -d' ' -f2)
if [ ${#dkim_key} -lt 1024 ]; then
echo "DKIM key is too short"
fi
### Query DMARC Record:
dig TXT _dmarc.example.com | grep "v=DMARC1"
### Validate DMARC Record Syntax:
dmarc_record=$(dig TXT _dmarc.example.com)
if [[ "$dmarc_record" =~ "v=DMARC1" ]]; then
echo "Valid DMARC record"
else
echo "Invalid DMARC record syntax"
fi
### Check for Missing DMARC Records:
if [ -z "$(dig +short TXT _dmarc.example.com)" ]; then
echo "No DMARC record found"
fi
### Analyze DMARC Policy:
policy=$(dig TXT _dmarc.example.com | grep "p=")
if [[ "$policy" =~ "p=none" ]]; then
echo "DMARC policy is set to 'none' β no action taken on unauthenticated emails"
elif [[ "$policy" =~ "p=reject" ]]; then
echo "DMARC policy is set to 'reject' β unauthenticated emails are rejected"
elif [[ "$policy" =~ "p=quarantine" ]]; then
echo "DMARC policy is set to 'quarantine' β unauthenticated emails are flagged"
fi
### Query BIMI Record:
dig TXT default._bimi.example.com | grep "v=BIMI1"
### Validate BIMI Record Syntax:
bimi_record=$(dig TXT default._bimi.example.com)
if [[ "$bimi_record" =~ "v=BIMI1" ]]; then
echo "Valid BIMI record"
else
echo "Invalid BIMI record syntax"
fi
### Verify BIMI Logo URL:
logo_url=$(dig TXT default._bimi.example.com | grep "l=" | cut -d'=' -f2)
if curl --output /dev/null --silent --head --fail "$logo_url"; then
echo "Valid logo URL"
else
echo "Invalid logo URL"
fi
Links
Standards
- SOC2_CONTROLS:
- CC_6_1
- CC_6_6
- CC_6_7
- CC_7_1
- CC_7_2
- CC_7_3
- CC_7_4
- CC_8_1
- CC_9_1
- CC_9_2
- PCI_STANDARDS:
- REQ_12_3
- REQ_12_10
- CCPA:
- CCPA_1798_150
- GDPR:
- ART_24
- ART_32
- ART_33
- ART_34
- CWE_TOP_25:
- CWE_787
- CWE_125
- CWE_416
- CWE_119