You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# Checking for common misconfigurations in SPF, DKIM, and DMARC recordsdefcheck_spf_misconfigurations(record):
issues= []
if'all'inrecord:
if'+all'inrecord:
issues.append("SPF configured to allow all hosts.")
returnissuesdefcheck_dkim_misconfigurations(record):
issues= []
if'k=rsa;'notinrecord:
issues.append("DKIM is not using RSA for signing.")
returnissuesdefcheck_dmarc_misconfigurations(record):
issues= []
if'p=none'inrecord:
issues.append("DMARC policy is set to 'none'.")
returnissuesdefcheck_email_security(domain):
all_issues= {}
# Check SPF recordspf_issues= []
try:
spf_record=dns.resolver.resolve(domain, 'TXT')
spf_text= [r.to_text() forrinspf_recordif'v=spf1'inr.to_text()][0]
spf_issues=check_spf_misconfigurations(spf_text)
exceptdns.resolver.NoAnswer:
spf_issues.append("No SPF record found.")
all_issues['SPF'] =spf_issues# Check DKIM recorddkim_issues= []
try:
dkim_record=dns.resolver.resolve(f"selector1._domainkey.{domain}", 'TXT')
dkim_text=dkim_record[0].to_text()
dkim_issues=check_dkim_misconfigurations(dkim_text)
exceptdns.resolver.NoAnswer:
dkim_issues.append("No DKIM record found.")
all_issues['DKIM'] =dkim_issues# Check DMARC recorddmarc_issues= []
try:
dmarc_record=dns.resolver.resolve(f"_dmarc.{domain}", 'TXT')
dmarc_text=dmarc_record[0].to_text()
dmarc_issues=check_dmarc_misconfigurations(dmarc_text)
exceptdns.resolver.NoAnswer:
dmarc_issues.append("No DMARC record found.")
all_issues['DMARC'] =dmarc_issuesreturnall_issuesdomain="example.com"issues=check_email_security(domain)
forkey, valueinissues.items():
ifvalue:
print(f"Potential {key} issues for {domain}:")
forissueinvalue:
print(f"- {issue}")
Explanation
SPF Checks: 'all' should not be configured to allow all hosts (+all). This is a common misconfiguration that basically nullifies the purpose of having an SPF record.
DKIM Checks: The key algorithm (k=) should be RSA. If it's not, that's a potential problem as RSA is the recommended signing algorithm.
DMARC Checks: A common misconfiguration is having the policy (p=) set to 'none', which means that the DMARC policy will not take any action against emails that fail the DMARC checks.
This should give you a starting point to build a more comprehensive tool.
module todoIdea for new module or improvement to an existing one
1 participant
Converted from issue
This discussion was converted from issue #575 on September 12, 2023 19:41.
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
https://github.com/MattKeeley/Spoofy
Some basic examples, courtesy of chatgpt:
Explanation
SPF Checks:
'all'
should not be configured to allow all hosts (+all
). This is a common misconfiguration that basically nullifies the purpose of having an SPF record.DKIM Checks: The key algorithm (
k=
) should be RSA. If it's not, that's a potential problem as RSA is the recommended signing algorithm.DMARC Checks: A common misconfiguration is having the policy (
p=
) set to'none'
, which means that the DMARC policy will not take any action against emails that fail the DMARC checks.This should give you a starting point to build a more comprehensive tool.
Beta Was this translation helpful? Give feedback.
All reactions