Checking your domain’s DKIM, SPF and spam record status for outgoing SMTP mail

Here is a brief tutorial how to check if your domain’s SPF and DKIM spam protection measurements are configured correctly. These domain name records are used to prevent spammers sending email and forging the sender’s address to be your domain.

This blog discussed only about testing there measurements; there are plenty of online tutorials available how to setup the protection for your domain.

1. Checking your domain’s SPF and DKIM records, SpamAssassin score

You can check DKIM signature online using this great emailtest service by Brandon Checketts. You will get a random email address where you send in a test email and the results of the email delivery are shown online.

port25 solutions provides an alternative service where you can send inbound email and it will return the SPF and DKIM verification status back in the return message. Getting a reply from this service takes like 30 minutes.

Below is an example how to send out a test email from Django shell. Use the related method of your web framework sending out the test email. For plain UNIX you can always use command line mail command to send out a test email from your shell.

from django.core.mail import send_mail
send_mail("test subject", "test message", from_email="mikko@example.com", recipient_list=["example@www.brandonchecketts.com"])

Then you see the output online on the site above, like SpamAssassin results:

SpamAssassin Score: -2.011
Message is NOT marked as spam
Points breakdown: 
-0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at http://www.dnswl.org/, low
                            trust
                            [198.2.128.3 listed in list.dnswl.org]
-0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
-0.0 T_RP_MATCHES_RCVD      Envelope sender domain matches handover relay
                            domain
-0.0 SPF_PASS               SPF: sender matches SPF record
-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                            [score: 0.0000]
-0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from author's
                            domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
 0.0 MSGID_FROM_MTA_HEADER  Message-Id was added by a relay

Here is yet another SPF Policy Tester where you can enter your SMTP server IP address and domain name.

2. Testing forged email send

You also need to test  that email receivers (GMail, Yahoo, HotMail) actually filter out messages based on the SPF test. This can be easily done by sending forged emails using the SMTP server of your local ISP. Telnet to SMTP server directly and then type out SMTP commands by hand.

Here is an example SMTP chat with a Finnish ISP’s outgoing SMTP server.

telnet posti.example.com 25

EHLO mikkos-imac
MAIL FROM: <mikko@sender.example.com>
RCPT TO: <mikko9999999@gmail.com>


DATA

test

.

3. GMail and SPF records

GMail does not seem to take spam decisions solely on either SPF hardfail -all or softfail ~all test. Thus, it seems to be very difficult to make GMail to discard spam and phishing attacks send in your domain’s name. Here is an example message from the above, as received by a GMail, which is delivered to inbox regardless of the domain SPF settings.

   
Delivered-To: mikko@receiver.example.com
Received: by 10.14.22.4 with SMTP id s4csp70004ees;
        Wed, 19 Feb 2014 00:49:41 -0800 (PST)
X-Received: by 10.43.65.145 with SMTP id xm17mr25876368icb.35.1392799780856;
        Wed, 19 Feb 2014 00:49:40 -0800 (PST)
Return-Path: <mikko@sender.example.com>
Received: from gw03.mail.visulahti.fi (gw03.mail.visulahti.fi. [1.1.1.1])
        by mx.google.com with ESMTPS id sc10si873225igb.31.2014.02.19.00.49.37
        for <mikko@receiver.example.com>
        (version=TLSv1 cipher=RC4-SHA bits=128/128);
        Wed, 19 Feb 2014 00:49:40 -0800 (PST)
Received-SPF: softfail (google.com: domain of transitioning mikko@sender.example.com does not designate 1.1.1.1 as permitted sender) client-ip=1.1.1.1;
Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning mikko@sender.example.com does not designate 1.1.1.1 as permitted sender) smtp.mail=mikko@sender.example.com
Received: from mikkos-imac (a91-154-153-67.pulina-laajakaista.fi [1.1.1.2])
    by gw03.mail.visulahti.fi (Postfix) with ESMTP id D639D216ADF
    for <mikko@receiver.example.com>; Wed, 19 Feb 2014 10:49:13 +0200 (EET)
Message-Id: <20140219084922.D639D216ADF@gw03.mail.visulahti.fi>
Date: Wed, 19 Feb 2014 10:49:13 +0200 (EET)
From: mikko@sender.example.com
To: undisclosed-recipients:;

Test mail

If anyone knows how to make GMail to honor SPF, or to ignore forged sender messages, please let me know.

 

Buy open source friendly bitcoins  Subscribe to this blog in a reader Follow me on Twitter Follow me on Facebook Follow me Google+

2 thoughts on “Checking your domain’s DKIM, SPF and spam record status for outgoing SMTP mail

  1. You need to make sure that your SPF record includes your server, and relay server.

    For example: TXT: “v=spf1 a mx a:smtp.transip.nl include:_spf.google.com ip4:11.22.33.44 ~all”

    This:
    - accepts the server mentioned in the A record
    - accepts the server mentioned in the MX record.
    - accepts my relay server.
    - accepts Google Apps (which my domain uses)
    - accepts another server, mentioned by IP address.
    - soft-rejects everything else.

    See http://www.openspf.org/SPF_Record_Syntax

  2. Secondly, you need to configure:

    SERVER_EMAIL
    DEFAULT_FROM_EMAIL
    EMAIL_SUBJECT_PREFIX # Optional

    or even better, use postfix sender_canonical to make sure emails like “root@localhost” get rewritten to “root@servername.fqdn.ext”, using something like:

    /^(.*)@localhost$/ ${1}@my-full-server-name

    in the sender_canonical file.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>