
I wanted to get a quick post in before the clock chimed midnight on 2020. It certainly has been a whirlwind of a year and while COVID-19 is still a cause for concern globally, one can only hope that 2021 will improve things.
Recently I’ve been having to work more and more with email related records, such as SPF, DMARC and DKIM records. There are plenty of resources on what these records are, to name a few, DNS Simple for has an article on SPF records that covers what they are and how to create them and another article on DKIM records.. DMARC.org has a useful article on what DMARC policies are.
As there are a number of resources that would far better explain the use cases for these records, I wanted to cover a few simple checks that can be done to check for existing records.
SPF
The above records are set at the DNS level. Checking SPF records is as simple as checking the TXT records of a specific domain. There are a number of ways that this can be achieved. On the command line the easiest option is through dig
:
dig +short txt example.com
"v=spf1 a include:_spf.google.com include:sendgrid.net -all"
The above will return the line we see, containing records for google.com
and sendgrid.net
.
DMARC
Checking for DMARC records follows a similar step and I generally would use dig to achieve this:
dig +short txt _dmarc.example.com
"v=DMARC1; p=none; rua=mailto:dmarc-aggrep@example.com"
It follows a similar format to our SPF record. The v=
identified the type of record being returned, as we saw with the SPF record.
DKIM
Checking DKIM records can be a little trickier since you have to know the selector in order to identify the record. These details are generally found in the signature of a DKIM signed email. Within the header the selector would be identified under s=
however an overview of retrieving the record using dig would be:
dig +short txt google.com._dkim.example.com
If found the record is found and present, this will return the public key set in the DNS record. The selector helps identify the private key that would be used to sign the email.
The above records can be an excellent resource when troubleshooting mail delivery issues or doing additional research on a domain. Beyond dig
, other tools that I find useful for reviewing DNS records are:
- https://whatsmydns.net
- https://mxtoolbox.com