Domain Security Checker: A Python Script for SPF, DKIM, and DMARC Record Validation
Introduction
Email security is one of the most critical components in protecting both individuals and organizations from phishing, spoofing, and fraud. Ensuring that your domain is set up correctly with SPF, DKIM, and DMARC records can significantly reduce the chances of malicious attacks targeting your email infrastructure.
SPF (Sender Policy Framework) ensures that only authorized mail servers can send emails on behalf of your domain.
DKIM (DomainKeys Identified Mail) adds a digital signature to your emails, allowing recipients to verify that they haven't been altered.
DMARC (Domain-based Message Authentication, Reporting & Conformance) helps enforce the policies defined by SPF and DKIM, adding an additional layer of security.
This article provides a simple Python script to validate the existence and configuration of SPF, DKIM, and DMARC records for any given domain.
Why Use This Script?
Misconfigurations in SPF, DKIM, and DMARC records can leave your domain vulnerable to spoofing, phishing, and other forms of email abuse. By running this script, you can easily check whether your domainโs email authentication records are properly configured, giving you peace of mind that your email infrastructure is secure.
How It Works
This Python script utilizes the dnspython library to query the DNS for SPF, DKIM, and DMARC records associated with a given domain. The script is simple to run, requiring only the domain as an input. It outputs the SPF, DKIM, and DMARC records directly in the console.
The script does not perform actual email signature validation but provides insights into whether these important DNS records are set up correctly.
Key Features:
- SPF Record Lookup: Checks if the domain has an SPF record and displays the contents.
- DKIM Record Lookup: Attempts to fetch the DKIM record for the domain.
- DMARC Record Lookup: Checks for the existence of a DMARC record and displays its details.
Installation Instructions
Before running the script, you will need to install the dnspython library. You can install it using pip:
pip install dnspythonThe Script
import dns.resolver
def get_spf_record(domain):
try:
answers = dns.resolver.resolve(domain, 'TXT')
for rdata in answers:
for txt_record in rdata.strings:
if b"v=spf1" in txt_record:
return txt_record.decode('utf-8')
return "No SPF record found"
except Exception as e:
return f"Error fetching SPF record: {e}"
def get_dkim_record(domain):
dkim_selector = "default" # You might need to adjust this based on the selector used by the domain
dkim_domain = f"{dkim_selector}._domainkey.{domain}"
try:
answers = dns.resolver.resolve(dkim_domain, 'TXT')
for rdata in answers:
return rdata.to_text()
except Exception as e:
return f"Error fetching DKIM record: {e}"
def get_dmarc_record(domain):
dmarc_domain = f"_dmarc.{domain}"
try:
answers = dns.resolver.resolve(dmarc_domain, 'TXT')
for rdata in answers:
return rdata.to_text()
except Exception as e:
return f"Error fetching DMARC record: {e}"
def main():
domain = input("Enter a domain to check SPF, DKIM, and DMARC: ").strip()
print(f"\nChecking SPF record for {domain}:")
spf_record = get_spf_record(domain)
print(spf_record)
print(f"\nChecking DKIM record for {domain}:")
dkim_record = get_dkim_record(domain)
print(dkim_record)
print(f"\nChecking DMARC record for {domain}:")
dmarc_record = get_dmarc_record(domain)
print(dmarc_record)
if __name__ == "__main__":
main()How to Use the Script
-
Install the
dnspythonlibrary:pip install dnspython -
Run the script:
python domain_security_checker.py -
Enter a domain when prompted, and the script will return the SPF, DKIM, and DMARC records (if available).
Example Output:
Enter a domain to check SPF, DKIM, and DMARC: example.com
Checking SPF record for example.com:
v=spf1 include:_spf.example.com ~all
Checking DKIM record for example.com:
"v=DKIM1; k=rsa; p=MHwwDQYJKoZIhvcNAQEBBQADawA..."
Checking DMARC record for example.com:
"v=DMARC1; p=none; rua=mailto:[email protected]"Conclusion
This Python script is a handy tool for quickly verifying SPF, DKIM, and DMARC records for any domain. Regular checks on these email authentication protocols help prevent your domain from being used in phishing and spoofing attacks. While the script doesn't perform in-depth testing of email headers, it provides a quick and easy method for ensuring the core records are set up correctly.
With the increasing complexity of email security, having such a script can be a vital part of your domain's security toolkit.
Full Script:
import dns.resolver
def get_spf_record(domain):
try:
answers = dns.resolver.resolve(domain, 'TXT')
for rdata in answers:
for txt_record in rdata.strings:
if b"v=spf1" in txt_record:
return txt_record.decode('utf-8')
return "No SPF record found"
except Exception as e:
return f"Error fetching SPF record: {e}"
def get_dkim_record(domain):
dkim_selector = "default" # You might need to adjust this based on the selector used by the domain
dkim_domain = f"{dkim_selector}._domainkey.{domain}"
try:
answers = dns.resolver.resolve(dkim_domain, 'TXT')
for rdata in answers:
return rdata.to_text()
except Exception as e:
return f"Error fetching DKIM record: {e}"
def get_dmarc_record(domain):
dmarc_domain = f"_dmarc.{domain}"
try:
answers = dns.resolver.resolve(dmarc_domain, 'TXT')
for rdata in answers:
return rdata.to_text()
except Exception as e:
return f"Error fetching DMARC record: {e}"
def main():
domain = input("Enter a domain to check SPF, DKIM, and DMARC: ").strip()
print(f"\nChecking SPF record for {domain}:")
spf_record = get_spf_record(domain)
print(spf_record)
print(f"\nChecking DKIM record for {domain}:")
dkim_record = get_dkim_record(domain)
print(dkim_record)
print(f"\nChecking DMARC record for {domain}:")
dmarc_record = get_dmarc_record(domain)
print(dmarc_record)
if __name__ == "__main__":
main()