Sunday, August 02, 2009

How to check a site for E-Mail authentication

Working as a pentester, i often check webshops and well-established brands. I expect them to have some kind of E-Mail-Authentication in place - be it Domain-Keys or an SPF-Record.

Not because I want to make the world a spam-free-place - I believe mail-authentication a worthwile measure against phishing-scams abusing a company-brand. I a company has mail-authentication like SPF in place, almost all spam-filters are able to and will separate legitimate company-mail and newsletters from phishing-scams, that are usually sent via untrusted ip's or without proper DKIM.

I was recently asked how to check this in a realworld-scenario. SPF is fairly easy - just get TXT and SPF-record for the domain in question. DIG is your friend, or just use serversniff's dns-report.
DKIM is more complicated: You need a realworld mail from the customer - be it a newsletter or an errormessage or anything else.

But how to verify SPF-Records and Domain-Key-Sigs?

I found it the easiest to use googlemail for this task - open an email in question, press the small arrow up right (next to the upper "reply") and select "Show Original". GMail will show you the complete Mail-Headers then, including validated SPF- and DKIM-Records. These might look like this:

SPF pass: Google verified an SPF-Record for this mail.

SPF neutral: Google can't verify an SPF-Record for this mail.

SPF pass by "best guess": There is no SPF-Record, but google was able to verify that the originating machine belongs to the originating domain.

And now for different DKIM-Headers:

I'm still not sure what google's spamfilter means with these headers, but it seems to be fairly accurate with even detecting a domain in "test-mode".

I'd be happy to hear from any other solution for verifying Mail-Authentication - write a comment or drop me a mail to


1 comment:

voyance gratuite en ligne par mail said...

Wow! This could be one particular of the most helpful blogs We’ve ever arrive across on this subject. Basically Magnificent. I’m also a specialist in this topic therefore I can understand your effort.