DKIM and SPF Checkers: How Do They Work?
DKIM and SPF Checkers: How Do They Work, Syntax, Record Validity, and More
Table of Contents
Preface
In the first quarter of 2022, financial institutions were targets of 23.6% of total phishing attacks across the globe. This was followed by web-based software services and webmail, which accounted for 20.5 percent of attacks. Statistics like these make it vital to know about DKIM and SPF checkers and ways to get non-erroneous records for effective email authentication exercises.
The blog focuses on discussing what is SPF, DKIM, and how to perform their respective lookups using professional tools.
What is SPF?
SPF stands for Sender Policy Framework, an email authentication protocol that protects your email-sending domain against phishing and spoofing attacks attempted in your company’s name. It works by requiring you to create and submit a list of servers allowed to send emails from your domain. Once created, you add the list to DNS to help receivers’ servers check if the senders of emails sent from your domain are actually who they are claiming to be.
Any email-sending server outside of the list is flagged, and the message’s entry is rejected. SPF mechanisms use the return-path address domain to check the SPF record. The IETF, under section RFC 7208, defines SPF policies that are used across the globe.
What is an SPF Record in DNS?
Before moving onto discussing about what is an online SPF checker, let’s understand what is an SPF record. An SPF record is a DNS TXT record commonly used in the email authentication process. It contains a list of servers and domains allowed to send emails from that domain. It lets domain administrator enter arbitrary text into the DNS. Using the MxToolbox SPF checker and updating SPF record, you can detect and avert threat actors from sending fraudulent emails by impersonating you or your employees.
SPF Record Structure and Components
An SPF record checker works on the basis of tags that help maintain a record easily. An SPF record begins with the ‘v=’ element, which specifies the version used. Currently, SPF1 is the version identified by all major mail exchanges.
SPF components are categorized as mechanisms, qualifiers, and modifiers.
Mechanisms
An SPF format checker has 8 mechanisms in total.
- ALL: The mechanism always matches, and you see default results like ‘-all’ for unmatching IPs.
- A: All domain names having A or AAAA record match since they can be resolved to the sender’s address.
- IP4: The SPF validation match is successful if the sender is linked to the given IPv4 address range.
- IP6: The SPF validation match is successful if the sender is linked to the given IPv6 address range.
- MX: The receiver’s server considers the sending address legitimate when their domain name includes an MX record for resolution.
- PTR: The SPF match is validated if the PTR record is linked to a given domain directed to the client’s address. Experts discourage its use as it can block both legitimate and illegitimate emails sent from your domain.
- EXISTS: It works if the given domain name is validated. This SPF mechanism functions with all resolved addresses.
- INCLUDE: The ‘include’ tag specifies other domain policies. So, if that passes, it passes automatically. However, if the included policy fails, processing continues.
Qualifiers
You can combine each mechanism with one of four qualifiers.
- ‘+’ for PASS result
- ‘?’ for a NEUTRAL result interpreted like NONE policy.
- ‘~’ for SOFTFAIL. Emails that return a SOFTFAIL are accepted but tagged.
- ‘-’ for FAIL, the receiver’s mailbox rejects the entry of unauthorized emails.
Modifiers
Modifiers are responsible for formatting the SPF record’s working parameters. It has a name or value pair separated by the ‘=’ sign that shows additional details. You can find them multiple times at the end of a record. Note that all the unrecognized modifiers are ignored in the process.
The ‘redirect’ modifier takes you to other SPF records meant for non-erroneous functioning. It’s used when more than one domain is resolved to the same SPF record and if a specific entity manages all the domains; otherwise, the ‘include’ modifier is used.
What is an SPF Record Checker?
An SPF record checker is a tool that behaves as an SPF record lookup and validator. It examines your SPF record for the queried domain name, shows existing records (if any), and processes multiple diagnostic tests against the record to flag errors impacting your domain’s email deliverability.
You can perform these validations using a credible SPF checker tool that displays results within seconds. It may also help you validate any updates you applied to your SPF record. It’s encouraged to be careful while testing updates with an SPF lookup checker before applying them to a DNS record.
What is an Invalid SPF Record?
An invalid SPF record is invalid when the ‘SPF validation failed’ error pops up. It comes either when the sender domain registers the wrong SPF record or when they use a spoofed email address. Thus, publishing it through DNS is recommended while complying with RFC 4408 section 3.1.
You should also incorporate all providers’ details if multiple vendors manage your email. This prevents unnecessary issues which may cause an invalid SPF record.
How to Check If SPF Record is Valid?
You’ll have to use an SPF record syntax checker to check if your record is published and valid. All you need to do is enter the domain name in the box, and you’ll receive reports for the queried domain momentarily.
What Factors are Included in the Google SPF Checker’s Process?
This is what a Dmarcian SPF record checker will validate SPF records on-
SPF Record Existence
The foremost thing an SPF checker does is see if an SPF record for your domain exists.
Multiple SPF Records in DNS
Technically, you can’t have more than one SPF record in DNS for each SPF version. When you publish multiple records, all of them get invalidated. That’s why you must always update your SPF record instead of creating and publishing new ones beside the existing one.
Maximum Lookup Limit
A limit of 10 DNS lookups is required to resolve an SPF record. This is implied to protect your domain from Denial of Service (DoS) attacks and overusing validators’ resources like bandwidth and CPU strength. If you exceed the 10 DNS lookup limit, you’ll see the SPF permerror ‘too many DNS lookups,’ and your messages won’t reach the desired recipients’ inboxes.
PTR Mechanism
PTR is a deprecated mechanism, and many senders will completely ignore your SPF record if you use it. Its function is the opposite of an A record, as it resolves an IP address to its corresponding domain name.
It’s a slow and unreliable mechanism as compared to others.
+All Mechanism
When you use the ‘all’ mechanism with a ‘+’ qualifier, you let anybody send emails using your domain. This is why the bulk SPF checker inspects the usage of the ‘+all’ mechanism in your SPF record. Your SPF tries matching the sending source to another mechanism. However, if it doesn’t succeed in this attempt, the default settings allow the source, and therefore this combination is discouraged.
Invalid Macro
Our SPF checker examines and validates all the macros used by you. SPF macro is a widely used supported feature of the SPF specification that suggests solutions to issues.
Record Termination Missing
A credible checker for SPF verifies if your record has a ‘default’ fall back mechanism. It can either be an ‘all’ mechanism or a ‘redirect’ modifier.
Multiple Fall Back Scenarios
A valid SPF record has one fall-back scenario.
Uppercase SPF
SPF record syntax checker looks over if you’ve used uppercase characters in your record. It isn’t mandatory to use lowercase letters, but it’s considered the best practice.
Once SPF checker Google takes your record through all these checks, you can safely update it in your DNS.
What is DKIM?
DKIM stands for DomainKeys Identified Mail, another email authentication protocol based on the concept of cryptography, where a message is encrypted and decrypted using keys. The sending server signs an email header with a key that the receiving server uses to verify the authenticity. The key is divided into two parts; public key and private key.
The public part of the key is stored in the openly accessible DNS zone of the sending domain, whereas the mail server or mail service provider secretly stores the private key. Receiver’s server matches both keys; if the match is successful, DKIM authentication passes, otherwise, it fails.
What is a DKIM Record?
DKIM record is a DNS syntax in TXT format where the selector and public key are stored for the DKIM verification process. It’s stored in the DNS server of the domain name used for sending emails.
A DKIM selector is text added to the domain to generate a unique DNS record used during DKIM implementation.
What is a DKIM Record Checker?
DKIM checker is a tool that performs a DKIM record test against a domain name and selector for a valid published DKIM key record. It’s a domain-level digital signature-based verification process that protects your brand from impersonation and spoofing attacks.
The steps to use both DKIM and SPF checkers are quite similar. You can check a DKIM record using a domain and selector separated by a colon, or you can alternatively use the host/name format of the record.
What Does DKIM Checker Do?
DKIM checkers looks up for the following things-
- If a DKIM TXT record is published in DNS for the queried domain.
- Examines the published DKIM TXT record syntax.
- Validates DKIM public key linked with the selector.
Final Thoughts
Email SPF and DKIM checkers evaluates your records to keep them error-free. Records with syntax and other errors fail to perform the authorization checks and you become prone to spamming and phishing attacks.
An SPF checker examines the number of lookups, use of PTR and +ALL mechanisms, invalid macros, uppercase letters, etc.
A DKIM checker evaluates the queried record for syntax error and validate the DKIM public key linked with the selector.
