Sender Policy Framework (SPF): Provides sender authentication for 5321.mailfrom address also known as P1 address and specifies the mail servers that are allowed to send emails as your domain.
The recipient MTA will query the SPF against the domain received in the 5321.mailfrom address. and will validate if the connecting IP (client-ip) is included in the SPF.
To check the SPF record using the Powershell for any domain, run the cmd like below.
>Resolve-DnsName lab365.in -Type txt | ? {$_.strings -match "SPF"}
Name Type TTL Section Strings ---- ---- --- ------- ------- lab365.in TXT 1800 Answer {v=spf1 include:spf.protection.outlook.com -all}
SPF authentication details from message header:
Received-SPF: pass (google.com: domain of labadmin@lab365.in designates 2a01:111:f400:fea4::60a as permitted sender) client-ip=2a01:111:f400:fea4::60a;
as you can see the above SPF authentication result is equal to pass, as the client-IP was found on the SPF as permitted sender.- Perform a TXT lookup for the domain available in the signature, recipient MTA will construct the domain as ( "s=" + "._domainkey." + "d=")
- If the DNS record exists fetch the public key to decrypt the value in "b=" tag
- Recalculate the hash value and match it with the has value in (bh=) tag, hash value is calculated using the properties included in the "h=" tag
- if hash and domain from the decrypted data matches with the signature domain "d=" tag DKIM authentication is considered as pass.
>Resolve-DnsName selector2._domainkey.lab365.in -Type txt Name Type TTL Section NameHost ---- ---- --- ------- -------- selector2._domainkey.lab365.in CNAME 3600 Answer selector2-lab365-in._domainkey.brocode.onmicrosoft.com Name : selector2-lab365-in._domainkey.brocode.onmicrosoft.com QueryType : TXT TTL : 3600 Section : Answer Strings : {v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6zwJ/L9U6D+AkKu/A4WvM3pHi1EtroHwEHwOzJ+WftL0VSrDGR0vLY3F0FzD37wA6kfs9X6+ufGHH/sMg/9p hVWiUtZ4kJM6dNYj75VT6BFu1XXYTGrltHg4niiHXN3YGibgsyLfzBahPQL/J9XNXFaKyPsyxoX5F/VKlHeizdl1rMeeeWS6yU4clqusbRDYz, ttf5VuhLegUognoOd1fyOIXvdUfWhygZ0FNK 9wJIlwXR3Ji/D/vZoYPtlce3txrCowhUW8Qsrx7YzTfF6Cu2md4rDVolxzpwr4rmMpxCwbpiWoxWc2k5l41e/7Bg/HJHJxKEEk/RE2aDICZ/rzKHQIDAQAB;}
Authentication-Results: mx.google.com; dkim=pass header.i=@lab365.in header.s=selector2 header.b=nvY2glLp; spf=pass (google.com: domain of labadmin@lab365.in designates 2a01:111:f400:fea4::60a as permitted sender) smtp.mailfrom=labadmin@lab365.in; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=lab365.in
Above authentication, results are from google, where the dmarc is passed as the header.from=lab365.in domain matches with the SPF and dkim smtp.mailfrom and header.i domain. if non of those would have matched then the recipient MTA will check the policy defined in "p=" tag in the header.from domain, dmarc record to take any action on it.
To check the policy using Powershell use the cmd below.
Pattern which is used to construct the DMARC TXT record DNS lookup: <"_dmarc." + "header.from domain">
>Resolve-DnsName _dmarc.lab365.in -Type txt Name Type TTL Section Strings ---- ---- --- ------- ------- _dmarc.lab365.in TXT 3600 Answer {v=DMARC1; p=quarantine; pct=100; rua=mailto:labadmin@lab365.in; aspf=s; adkim=r;}
Why to setup a DMARC record?: DMARC provides the following.
- Spoof protection for your domain with the help of SPF and DKIM records.
- Forensic reports for the dmarc failed messages are sent back to the email address in ruf= tag, these emails can be used to further investigate and fix these issues causing the dmarc to fail.
- Aggregate reports are sent back as an XML attachment to email addresses in rua= tag.
- Total messages DMARC complient
- Total messages DMARC Non-Complient
- Total messages forwarded
- Total Unknown (host without any PTR record)
Comments
Post a Comment