Here is a brief tutorial how to check if your domain’s SPF and DKIM spam protection measurements are configured correctly. These domain name records are used to prevent spammers sending email and forging the sender’s address to be your domain.
Table Of Content
1. Checking your domain’s SPF and DKIM records, SpamAssassin score
This blog discussed only about testing there measurements; there are plenty of online tutorials available how to setup the protection for your domain.
1. Checking your domain’s SPF and DKIM records, SpamAssassin score
You can check DKIM signature online using this great emailtest service by Brandon Checketts. You will get a random email address where you send in a test email and the results of the email delivery are shown online.
port25 solutions provides an alternative service where you can send inbound email and it will return the SPF and DKIM verification status back in the return message. Getting a reply from this service takes like 30 minutes.
Below is an example how to send out a test email from Django shell. Use the related method of your web framework sending out the test email. For plain UNIX you can always use command line mail command to send out a test email from your shell.
from django.core.mail import send_mail
send_mail("test subject", "test message", from_email="mikko@example.com", recipient_list=["example@www.brandonchecketts.com"])
Then you see the output online on the site above, like SpamAssassin results:
SpamAssassin Score: -2.011 Message is NOT marked as spam Points breakdown: -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, low trust [198.2.128.3 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
Here is yet another SPF Policy Tester where you can enter your SMTP server IP address and domain name.
2. Testing forged email send
You also need to test that email receivers (GMail, Yahoo, HotMail) actually filter out messages based on the SPF test. This can be easily done by sending forged emails using the SMTP server of your local ISP. Telnet to SMTP server directly and then type out SMTP commands by hand.
Here is an example SMTP chat with a Finnish ISP’s outgoing SMTP server.
telnet posti.example.com 25 EHLO mikkos-imac MAIL FROM: <mikko@sender.example.com> RCPT TO: <mikko9999999@gmail.com> DATA test .
3. GMail and SPF records
GMail does not seem to take spam decisions solely on either SPF hardfail -all or softfail ~all test. Thus, it seems to be very difficult to make GMail to discard spam and phishing attacks send in your domain’s name. Here is an example message from the above, as received by a GMail, which is delivered to inbox regardless of the domain SPF settings.
Delivered-To: mikko@receiver.example.com Received: by 10.14.22.4 with SMTP id s4csp70004ees; Wed, 19 Feb 2014 00:49:41 -0800 (PST) X-Received: by 10.43.65.145 with SMTP id xm17mr25876368icb.35.1392799780856; Wed, 19 Feb 2014 00:49:40 -0800 (PST) Return-Path: <mikko@sender.example.com> Received: from gw03.mail.visulahti.fi (gw03.mail.visulahti.fi. [1.1.1.1]) by mx.google.com with ESMTPS id sc10si873225igb.31.2014.02.19.00.49.37 for <mikko@receiver.example.com> (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 19 Feb 2014 00:49:40 -0800 (PST) Received-SPF: softfail (google.com: domain of transitioning mikko@sender.example.com does not designate 1.1.1.1 as permitted sender) client-ip=1.1.1.1; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning mikko@sender.example.com does not designate 1.1.1.1 as permitted sender) smtp.mail=mikko@sender.example.com Received: from mikkos-imac (a91-154-153-67.pulina-laajakaista.fi [1.1.1.2]) by gw03.mail.visulahti.fi (Postfix) with ESMTP id D639D216ADF for <mikko@receiver.example.com>; Wed, 19 Feb 2014 10:49:13 +0200 (EET) Message-Id: <20140219084922.D639D216ADF@gw03.mail.visulahti.fi> Date: Wed, 19 Feb 2014 10:49:13 +0200 (EET) From: mikko@sender.example.com To: undisclosed-recipients:; Test mail
If anyone knows how to make GMail to honor SPF, or to ignore forged sender messages, please let me know.
![\"\"](\"https://www.feedburner.com/fb/images/pub/feed-icon16x16.png\")
Subscribe to RSS feed ![](\"https://opensourcehacker.com/wp-content/uploads/twitter-24.png\")
Follow me on Twitter
![](\"http://opensourcehacker.com/wp-content/uploads/facebook-24.png\")
Follow me on Facebook ![](\"https://opensourcehacker.com/wp-content/uploads/googleplus.png\")
Follow me Google+
You need to make sure that your SPF record includes your server, and relay server.
For example: TXT: “v=spf1 a mx a:smtp.transip.nl include:_spf.google.com ip4:11.22.33.44 ~all”
This:
– accepts the server mentioned in the A record
– accepts the server mentioned in the MX record.
– accepts my relay server.
– accepts Google Apps (which my domain uses)
– accepts another server, mentioned by IP address.
– soft-rejects everything else.
See http://www.openspf.org/SPF_Record_Syntax
Secondly, you need to configure:
SERVER_EMAIL
DEFAULT_FROM_EMAIL
EMAIL_SUBJECT_PREFIX # Optional
or even better, use postfix sender_canonical to make sure emails like “root@localhost” get rewritten to “root@servername.fqdn.ext”, using something like:
/^(.*)@localhost$/ ${1}@my-full-server-name
in the sender_canonical file.
I don’t want ti re-invent the wheel :-), please see below link ( which i used sometime ago to setup gmail for business on a third party domain), it explains about (1) adding dkim key (2) adding one of the google provided spf recod information ( specific to ‘ gmail for business’ on third party domain)
https://support.google.com/a/answer/174124?hl=en
happy hacking 🙂
SPF records when checked in GMAIL codes appears as pass but when checked in senderscore or mxtoolbox it says records not found.
What seems to be the reason for this. Has anyone faced such situations in past. Check it yourself arrivalshop.com, fitternity.com
I got results as it is with Rinkesh.
Loking for some help as a novie email marketer. I have a domain name that I want to use as a sender email. Below are the points that I feel are working against me and need help with.
Can you suggest fixes to this?
How to create correct spf records?
Can I get correct DKIM key and update it or it has been done by the domain name host?
SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
HTTP_ESCAPED_HOST URI: Uses %-escapes inside a URL’s hostname
DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
T_DKIM_INVALID DKIM-Signature header exists but is not valid
Any help in this ref will be appreciated.
Please read the blog post for more information. If the content is too in depth try to find a person who can provide technical help for you.
Adding your own domain name to your list of allowed domain names, despite the fact that you shouldn’t need to, got gmail to actually “sendas” for me.
A bit late possibly but if you want Google to honor SPF you need to use DMARC. “-all” is not enough to refuse emails, not even to mark them as spam.
This tool is not showing my website results. why?