I had posted my app on Betalist about a week ago and received a vulnerability report about incorrectly configured DMARC from a security researcher. I made the fix but wasn't confident about it. Shortly after, I received a couple more similar emails.
With this tool, my first check failed, citing an invalid SPF record. (I had an extra `.` at the end of my TXT record). Now, the check shows all passing.
I hope all is good now (emails are wild).
From my limited understanding:
SPF <- Should this server be sending emails for this domain?
DKIM <- Was this email tampered with?
DMARC <- What should I, as a recipient, do if SPF or DKIM fails?
Great tool, one bit of feedback on the log report. Perhaps you can highlight the passing line in the SPF record, I have about 100 of these "The ip4 mechanism does not match." and then a lot of "The include mechanism matches and produces a pass result."
Thanks for the feedback, much appreciated! It looks like you've flattened your SPF record, causing a large number of log messages. I'll see what I can do to better highlight the line that produces the 'pass' result.
I don’t want to take away your spotlight, because it’s a nice project you launched,
But I do want to point out to people that https://github.com/domainaware/checkdmarc exists for quite a while. I use it often and have also integrated it in various automated tooling.
(It also does not require handing out email addresses to strangers.)
Hmm, am I seeing this correctly that the system does receive emails only via IPv4 and no IPv6? This would make the SPF check somewhat misleading as it only checks one option.
You are correct, the mail server is currently configured to only receive emails via IPv4. This setup is not uncommon as most major email providers have IPv4-only MX records (with Gmail and Yandex Mail being rare exceptions that support IPv6).
It might be a good idea to provide a different email address whose mail server explicitly requires IPv6. I'll think about it. Thanks for bringing it up.
There was a small bug in our DMARC record parser (it didn't like the semicolon at the end of the record). Sorry for that. Your DMARC record is definitely correct. The issue should be fixed now.
Also, thanks for the idea about circumventing DNS caching. I'll look into adding that feature.
This is a really straightforward tool. Validating spf/dkim/dmarc by receiving an email strikes me as more effective than something that just looks at the DNS records. Thanks for sharing.
akshayKMR|2 years ago
I had posted my app on Betalist about a week ago and received a vulnerability report about incorrectly configured DMARC from a security researcher. I made the fix but wasn't confident about it. Shortly after, I received a couple more similar emails.
With this tool, my first check failed, citing an invalid SPF record. (I had an extra `.` at the end of my TXT record). Now, the check shows all passing.
I hope all is good now (emails are wild).
From my limited understanding:
Thanks!awulf|2 years ago
1231232131231|2 years ago
bks|2 years ago
Maybe you can highlight the passing statement? - https://app.screencast.com/Hu5ybB6K3fd9R
awulf|2 years ago
jenoer|2 years ago
But I do want to point out to people that https://github.com/domainaware/checkdmarc exists for quite a while. I use it often and have also integrated it in various automated tooling.
(It also does not require handing out email addresses to strangers.)
petecog|2 years ago
I recommend also https://mxtoolbox.com/dmarc.aspx
I have no affiliation.
petecog|2 years ago
Email is such an amazing mess. Love and hate in equal measures
bks|2 years ago
yolo4553|2 years ago
awulf|2 years ago
It might be a good idea to provide a different email address whose mail server explicitly requires IPv6. I'll think about it. Thanks for bringing it up.
ollybee|2 years ago
aeadio|2 years ago
It might also be useful if the tool attempted to circumvent DNS caching, so users can try tests in succession after updating.
awulf|2 years ago
Also, thanks for the idea about circumventing DNS caching. I'll look into adding that feature.
RulerOf|2 years ago
bks|2 years ago
kunley|2 years ago
FerretFred|2 years ago
wilg|2 years ago