cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9fb9d950eafd9519b14eb616fe8269abf67f2423
Linux-Server-Management-Too…/modules/email/spf-dkim-dmarc-check.sh
T
cschantz 9fb9d950ea Implement complete SPF/DKIM/DMARC validation and email deliverability testing 
SPF/DKIM/DMARC Check:
- Complete implementation to validate email authentication records
- Checks SPF record for proper terminator and mechanisms
- Checks DKIM record with common selector detection
- Validates DMARC policy, alignment, and reporting
- Tries common DKIM selectors (default, k1, k2, google, selector1, selector2)
- Analyzes SPF/DKIM/DMARC strength (EXCELLENT/GOOD/PARTIAL/CRITICAL)
- Provides actionable recommendations for missing records
- Shows configuration examples for each authentication method

Email Deliverability Test:
- 5-step comprehensive deliverability testing
- Step 1: Validates SPF/DKIM/DMARC records exist
- Step 2: Tests SMTP connectivity to MX records
- Step 3: Checks server IP against major blacklists (Spamhaus, SpamCop, Barracuda, SORBS, CBL)
- Step 4: Validates reverse DNS (PTR record) configuration
- Step 5: Sends actual test email to verify end-to-end delivery
- Integrated blacklist detection with difficulty ratings
- Links to related diagnostic tools
- Provides troubleshooting guidance for failed tests

Key Features:
- User-friendly input prompts for domain and test recipient
- Color-coded output (success, warning, error)
- Comprehensive test summary with next steps
- Integration with existing email diagnostics tools
- Clear recommendations for each test result
- Cross-references to blacklist-check, email-diagnostics, and mail-log-analyzer

These tools complete the email infrastructure validation suite,
allowing administrators to comprehensively validate email authentication,
deliverability, and blacklist status from one integrated toolset.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-02-06 20:26:35 -05:00

256 lines
8.3 KiB
Bash
Executable File
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#!/bin/bash
################################################################################
# SPF/DKIM/DMARC Check - Email Authentication Records Validator
################################################################################
# Purpose: Check and validate SPF, DKIM, and DMARC records for a domain
# Shows detailed validation results with recommendations
################################################################################
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
source "$SCRIPT_DIR/lib/common-functions.sh"
source "$SCRIPT_DIR/lib/system-detect.sh"
show_banner "SPF/DKIM/DMARC Email Authentication Check"
# Get domain from user
echo ""
read -p "Enter domain to check (e.g., example.com): " TARGET_DOMAIN
if [ -z "$TARGET_DOMAIN" ]; then
print_error "Domain required"
exit 1
fi
print_info "Checking email authentication records for: $TARGET_DOMAIN"
echo ""
################################################################################
# SPF Check
################################################################################
check_spf() {
local domain="$1"
local spf_record=$(dig +short TXT "$domain" 2>/dev/null | grep "^\"v=spf1")
if [ -z "$spf_record" ]; then
print_error " ✗ SPF record NOT FOUND"
echo " Risk: Server may not have SPF authentication"
return 1
else
print_success " ✓ SPF record found"
# Clean up the dig output
spf_record=$(echo "$spf_record" | sed 's/"//g')
echo " Record: $spf_record"
# Validate SPF record
if echo "$spf_record" | grep -q "~all\|?all"; then
print_success " ✓ SPF has proper terminator (~all or ?all)"
elif echo "$spf_record" | grep -q "\-all"; then
print_warning " ⚠ SPF uses strict -all (may reject legitimate mail)"
else
print_warning " ⚠ SPF missing proper terminator (no ~all)"
fi
# Check for common SPF mechanisms
echo " Mechanisms found:"
echo "$spf_record" | grep -o "\b[a-z]*:[^ \"]*" | while read mech; do
echo "$mech"
done
return 0
fi
}
################################################################################
# DKIM Check
################################################################################
check_dkim() {
local domain="$1"
local selector="default"
# Try common selectors
for sel in default k1 k2 google selector1 selector2; do
local dkim_record=$(dig +short TXT "${sel}._domainkey.${domain}" 2>/dev/null | grep "^\"v=DKIM1")
if [ -n "$dkim_record" ]; then
selector="$sel"
break
fi
done
local dkim_record=$(dig +short TXT "${selector}._domainkey.${domain}" 2>/dev/null | grep "^\"v=DKIM1")
if [ -z "$dkim_record" ]; then
print_error " ✗ DKIM record NOT FOUND (tried selector: $selector)"
echo " Recommendation: Check your DKIM setup with selector name"
return 1
else
print_success " ✓ DKIM record found (selector: $selector)"
dkim_record=$(echo "$dkim_record" | sed 's/"//g')
# Extract key components
if echo "$dkim_record" | grep -q "p="; then
print_success " ✓ Public key (p=) present"
fi
if echo "$dkim_record" | grep -q "h=sha256"; then
print_success " ✓ Using SHA256 hashing (recommended)"
elif echo "$dkim_record" | grep -q "h=sha1"; then
print_warning " ⚠ Using SHA1 (consider upgrading to SHA256)"
fi
if echo "$dkim_record" | grep -q "t=y"; then
print_info " Testing mode enabled (t=y)"
fi
echo " Selector: $selector"
return 0
fi
}
################################################################################
# DMARC Check
################################################################################
check_dmarc() {
local domain="$1"
local dmarc_record=$(dig +short TXT "_dmarc.${domain}" 2>/dev/null | grep "^\"v=DMARC1")
if [ -z "$dmarc_record" ]; then
print_error " ✗ DMARC record NOT FOUND"
echo " Recommendation: Implement DMARC policy for maximum protection"
return 1
else
print_success " ✓ DMARC record found"
dmarc_record=$(echo "$dmarc_record" | sed 's/"//g')
echo " Record: $dmarc_record"
# Analyze DMARC policy
if echo "$dmarc_record" | grep -q "p=reject"; then
print_success " ✓ Policy: REJECT (strict enforcement)"
elif echo "$dmarc_record" | grep -q "p=quarantine"; then
print_warning " ⚠ Policy: QUARANTINE (less strict)"
elif echo "$dmarc_record" | grep -q "p=none"; then
print_warning " ⚠ Policy: NONE (monitoring only, no enforcement)"
fi
# Check for reporting
if echo "$dmarc_record" | grep -q "rua="; then
print_success " ✓ Aggregate reports enabled (rua=)"
fi
if echo "$dmarc_record" | grep -q "ruf="; then
print_success " ✓ Forensic reports enabled (ruf=)"
fi
# Check alignment
if echo "$dmarc_record" | grep -q "aspf=strict"; then
print_success " ✓ SPF alignment: STRICT"
fi
if echo "$dmarc_record" | grep -q "adkim=strict"; then
print_success " ✓ DKIM alignment: STRICT"
fi
return 0
fi
}
################################################################################
# Main Checks
################################################################################
print_header "SPF (Sender Policy Framework)"
check_spf "$TARGET_DOMAIN"
spf_status=$?
echo ""
print_header "DKIM (DomainKeys Identified Mail)"
check_dkim "$TARGET_DOMAIN"
dkim_status=$?
echo ""
print_header "DMARC (Domain-based Message Authentication, Reporting & Conformance)"
check_dmarc "$TARGET_DOMAIN"
dmarc_status=$?
echo ""
################################################################################
# Summary & Recommendations
################################################################################
print_header "Authentication Summary"
echo ""
print_info "Status Overview:"
if [ $spf_status -eq 0 ]; then
echo " ✓ SPF: Implemented"
else
echo " ✗ SPF: Missing"
fi
if [ $dkim_status -eq 0 ]; then
echo " ✓ DKIM: Implemented"
else
echo " ✗ DKIM: Missing"
fi
if [ $dmarc_status -eq 0 ]; then
echo " ✓ DMARC: Implemented"
else
echo " ✗ DMARC: Missing"
fi
echo ""
echo "🔐 Authentication Strength:"
if [ $spf_status -eq 0 ] && [ $dkim_status -eq 0 ] && [ $dmarc_status -eq 0 ]; then
print_success " ✓ EXCELLENT: All three authentication methods implemented"
echo " Your domain has maximum email authentication protection"
elif [ $spf_status -eq 0 ] && [ $dkim_status -eq 0 ]; then
print_warning " ⚠ GOOD: SPF and DKIM implemented (DMARC recommended)"
echo " Add DMARC for complete protection and reporting"
elif [ $spf_status -eq 0 ] || [ $dkim_status -eq 0 ]; then
print_warning " ⚠ PARTIAL: Only one authentication method active"
echo " Implement both SPF and DKIM for better deliverability"
else
print_error " ✗ CRITICAL: No authentication methods found"
echo " Email deliverability will be severely impacted"
fi
echo ""
echo "📋 Recommendations:"
echo ""
if [ $spf_status -ne 0 ]; then
echo " 1. Add SPF record:"
echo " - Go to your DNS provider"
echo " - Add TXT record for $TARGET_DOMAIN"
echo " - Example: v=spf1 include:_spf.google.com ~all"
echo ""
fi
if [ $dkim_status -ne 0 ]; then
echo " 2. Enable DKIM:"
echo " - Check your mail server control panel (cPanel/Plesk)"
echo " - Generate DKIM key for domain"
echo " - Add the TXT record to DNS"
echo ""
fi
if [ $dmarc_status -ne 0 ]; then
echo " 3. Implement DMARC:"
echo " - Add TXT record for _dmarc.$TARGET_DOMAIN"
echo " - Start with p=none for monitoring"
echo " - Example: v=DMARC1;p=none;rua=mailto:postmaster@$TARGET_DOMAIN"
echo ""
fi
echo "🔗 Additional Resources:"
echo " • Use email-diagnostics to check email delivery issues"
echo " • Use blacklist-check to verify IP reputation"
echo " • Monitor DMARC reports at your email provider"
echo ""
Reference in New Issue View Git Blame Copy Permalink