Here is a brief tutorial how to check if your domain’s SPF and DKIM spam protection measurements are configured correctly. These domain name records are used to prevent spammers sending email and forging the sender’s address to be your domain.
Table Of Content
This blog discussed only about testing there measurements; there are plenty of online tutorials available how to setup the protection for your domain.
1. Checking your domain’s SPF and DKIM records, SpamAssassin score
You can check DKIM signature online using this great emailtest service by Brandon Checketts. You will get a random email address where you send in a test email and the results of the email delivery are shown online.
port25 solutions provides an alternative service where you can send inbound email and it will return the SPF and DKIM verification status back in the return message. Getting a reply from this service takes like 30 minutes.
Below is an example how to send out a test email from Django shell. Use the related method of your web framework sending out the test email. For plain UNIX you can always use command line mail command to send out a test email from your shell.
from django.core.mail import send_mail send_mail("test subject", "test message", from_email="[email protected]", recipient_list=["[email protected]"])
Then you see the output online on the site above, like SpamAssassin results:
SpamAssassin Score: -2.011 Message is NOT marked as spam Points breakdown: -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, low trust [18.104.22.168 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
Here is yet another SPF Policy Tester where you can enter your SMTP server IP address and domain name.
2. Testing forged email send
You also need to test that email receivers (GMail, Yahoo, HotMail) actually filter out messages based on the SPF test. This can be easily done by sending forged emails using the SMTP server of your local ISP. Telnet to SMTP server directly and then type out SMTP commands by hand.
Here is an example SMTP chat with a Finnish ISP’s outgoing SMTP server.
telnet posti.example.com 25 EHLO mikkos-imac MAIL FROM: <[email protected]> RCPT TO: <[email protected]> DATA test .
3. GMail and SPF records
GMail does not seem to take spam decisions solely on either SPF hardfail -all or softfail ~all test. Thus, it seems to be very difficult to make GMail to discard spam and phishing attacks send in your domain’s name. Here is an example message from the above, as received by a GMail, which is delivered to inbox regardless of the domain SPF settings.
Delivered-To: [email protected] Received: by 10.14.22.4 with SMTP id s4csp70004ees; Wed, 19 Feb 2014 00:49:41 -0800 (PST) X-Received: by 10.43.65.145 with SMTP id xm17mr25876368icb.35.1392799780856; Wed, 19 Feb 2014 00:49:40 -0800 (PST) Return-Path: <[email protected]> Received: from gw03.mail.visulahti.fi (gw03.mail.visulahti.fi. [22.214.171.124]) by mx.google.com with ESMTPS id sc10si873225igb.31.2014.02.19.00.49.37 for <[email protected]> (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 19 Feb 2014 00:49:40 -0800 (PST) Received-SPF: softfail (google.com: domain of transitioning [email protected] does not designate 126.96.36.199 as permitted sender) client-ip=188.8.131.52; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning [email protected] does not designate 184.108.40.206 as permitted sender) smtp.mail=[email protected] Received: from mikkos-imac (a91-154-153-67.pulina-laajakaista.fi [220.127.116.11]) by gw03.mail.visulahti.fi (Postfix) with ESMTP id D639D216ADF for <[email protected]>; Wed, 19 Feb 2014 10:49:13 +0200 (EET) Message-Id: <[email protected]> Date: Wed, 19 Feb 2014 10:49:13 +0200 (EET) From: [email protected] To: undisclosed-recipients:; Test mail
If anyone knows how to make GMail to honor SPF, or to ignore forged sender messages, please let me know.