跳转至

DNS Check: SPF, DKIM, DMARC, and BIMI Validation

DNS 检查:SPF、DKIM、DMARC 和 BIMI 验证

描述

发件人策略框架 (SPF)、域名密钥识别邮件 (DKIM)、基于域的消息认证、报告和一致性 (DMARC) 以及用于消息识别的品牌指标 (BIMI) 是用于验证电子邮件和防止欺骗的关键 DNS 记录。

  • SPF:确保只有获得授权的邮件服务器才能代表域发送电子邮件。
  • DKIM:允许收件人通过数字签名验证发件人和消息完整性。
  • DMARC:结合 SPF 和 DKIM,提供报告和处理未经验证的电子邮件的策略。
  • BIMI:在验证过的电子邮件中添加品牌徽标,从而提高电子邮件通信中的品牌认知度和信任度。

如果未能正确配置这些记录,可能会导致更容易受到网络钓鱼攻击、电子邮件欺骗,并降低电子邮件的送达率。每项检查都能确保正确实施电子邮件身份验证机制。

建议

为确保正确的电子邮件身份验证并降低网络钓鱼和电子邮件欺骗的风险,配置和验证您的 SPF、DKIM、DMARC 和 BIMI DNS 记录至关重要。以下是针对三种不同电子邮件服务器配置设置和验证每个机制的步骤。

### 验证 SPF 记录语法: 

dig TXT example.com | grep "v=spf1"
### 检查是否缺少 SPF 记录: 
if [ -z "$(dig +short TXT example.com | grep spf1)" ]; then
  echo "No SPF record found"
fi

### 检查 SPF 记录长度: 

spf_record=$(dig TXT example.com | grep "v=spf1")
if [ ${#spf_record} -gt 255 ]; then
  echo "SPF record exceeds length limit"
fi

### 验证 DNS 查找限制: 

spf_check=$(dig TXT example.com | grep "v=spf1")
lookup_count=$(echo "$spf_check" | grep -o 'include' | wc -l)
if [ "$lookup_count" -gt 10 ]; then
  echo "SPF record exceeds the 10 DNS lookup limit"
fi

### 查询 DKIM 记录: 

dig TXT default._domainkey.example.com | grep "v=DKIM1"

### 验证 DKIM 记录语法: 

dkim_record=$(dig TXT default._domainkey.example.com)
if [[ "$dkim_record" =~ "v=DKIM1" ]]; then
  echo "Valid DKIM record"
else
  echo "Invalid DKIM record syntax"
fi

### 检查 DKIM 密钥长度: 

dkim_key=$(dig TXT default._domainkey.example.com | grep -o "p=.*" | cut -d' ' -f2)
if [ ${#dkim_key} -lt 1024 ]; then
  echo "DKIM key is too short"
fi

### 查询 DMARC 记录: 

dig TXT _dmarc.example.com | grep "v=DMARC1"

### 验证 DMARC 记录语法: 

dmarc_record=$(dig TXT _dmarc.example.com)
if [[ "$dmarc_record" =~ "v=DMARC1" ]]; then
  echo "Valid DMARC record"
else
  echo "Invalid DMARC record syntax"
fi

### 检查是否缺少 DMARC 记录: 

if [ -z "$(dig +short TXT _dmarc.example.com)" ]; then
  echo "No DMARC record found"
fi

### 分析 DMARC 策略: 

policy=$(dig TXT _dmarc.example.com | grep "p=")
if [[ "$policy" =~ "p=none" ]]; then
  echo "DMARC policy is set to 'none' – no action taken on unauthenticated emails"
elif [[ "$policy" =~ "p=reject" ]]; then
  echo "DMARC policy is set to 'reject' – unauthenticated emails are rejected"
elif [[ "$policy" =~ "p=quarantine" ]]; then
  echo "DMARC policy is set to 'quarantine' – unauthenticated emails are flagged"
fi

### 查询 BIMI 记录: 

dig TXT default._bimi.example.com | grep "v=BIMI1"

### 验证 BIMI 记录语法: 

bimi_record=$(dig TXT default._bimi.example.com)
if [[ "$bimi_record" =~ "v=BIMI1" ]]; then
  echo "Valid BIMI record"
else
  echo "Invalid BIMI record syntax"
fi

### 验证 BIMI 徽标 URL: 

logo_url=$(dig TXT default._bimi.example.com | grep "l=" | cut -d'=' -f2)
if curl --output /dev/null --silent --head --fail "$logo_url"; then
  echo "Valid logo URL"
else
  echo "Invalid logo URL"
fi

链接

标准

  • SOC2_CONTROLS:
    • CC_6_1
    • CC_6_6
    • CC_6_7
    • CC_7_1
    • CC_7_2
    • CC_7_3
    • CC_7_4
    • CC_8_1
    • CC_9_1
    • CC_9_2
  • PCI_STANDARDS:
    • REQ_12_3
    • REQ_12_10
  • CCPA:
    • CCPA_1798_150
  • GDPR:
    • ART_24
    • ART_32
    • ART_33
    • ART_34
  • CWE_TOP_25:
    • CWE_787
    • CWE_125
    • CWE_416
    • CWE_119
  • HIPAA_CONTROLS:
    • SECURITY212
    • SECURITY213