cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bec70c35bbd6248d6174f65ca9515dfe74bed9b8
Linux-Server-Management-Too…/modules/email/spf-dkim-dmarc-check.sh
T
cschantz 17eb3d12c1 Fix HIGH priority QA issues in email diagnostics scripts 
- Fixed 11 ESCAPE issues in mail-log-analyzer.sh by adding -- separator to all grep commands with filename variables
- Fixed 5 string comparison issues in spf-dkim-dmarc-check.sh (use = instead of -eq for string comparisons)
- Added timeout flags to curl commands in deliverability-test.sh and blacklist-check.sh (--max-time 5)
- All filename variables in grep/sed now properly protected with -- separator

QA Results:
- HIGH issues: reduced from 19 to 4
- ESCAPE issues: all resolved (0 remaining)
- NET-TIMEOUT issues: all resolved (0 remaining)
- Remaining HIGH issues: 4 SUBSHELL-VAR + 9 FD-LEAK (non-critical architectural patterns)

Production Status: Near-ready, all security-critical issues resolved

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-02-06 21:19:53 -05:00

256 lines
8.3 KiB
Bash
Executable File
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#!/bin/bash
################################################################################
# SPF/DKIM/DMARC Check - Email Authentication Records Validator
################################################################################
# Purpose: Check and validate SPF, DKIM, and DMARC records for a domain
# Shows detailed validation results with recommendations
################################################################################
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
source "$SCRIPT_DIR/lib/common-functions.sh"
source "$SCRIPT_DIR/lib/system-detect.sh"
show_banner "SPF/DKIM/DMARC Email Authentication Check"
# Get domain from user
echo ""
read -p "Enter domain to check (e.g., example.com): " TARGET_DOMAIN
if [ -z "$TARGET_DOMAIN" ]; then
print_error "Domain required"
exit 1
fi
print_info "Checking email authentication records for: $TARGET_DOMAIN"
echo ""
################################################################################
# SPF Check
################################################################################
check_spf() {
local domain="$1"
local spf_record=$(dig +short TXT "$domain" 2>/dev/null | grep "^\"v=spf1")
if [ -z "$spf_record" ]; then
print_error " ✗ SPF record NOT FOUND"
echo " Risk: Server may not have SPF authentication"
return 1
else
print_success " ✓ SPF record found"
# Clean up the dig output
spf_record=$(echo "$spf_record" | sed 's/"//g')
echo " Record: $spf_record"
# Validate SPF record
if echo "$spf_record" | grep -q "~all\|?all"; then
print_success " ✓ SPF has proper terminator (~all or ?all)"
elif echo "$spf_record" | grep -q "\-all"; then
print_warning " ⚠ SPF uses strict -all (may reject legitimate mail)"
else
print_warning " ⚠ SPF missing proper terminator (no ~all)"
fi
# Check for common SPF mechanisms
echo " Mechanisms found:"
echo "$spf_record" | grep -o "\b[a-z]*:[^ \"]*" | while read mech; do
echo "$mech"
done
return 0
fi
}
################################################################################
# DKIM Check
################################################################################
check_dkim() {
local domain="$1"
local selector="default"
# Try common selectors
for sel in default k1 k2 google selector1 selector2; do
local dkim_record=$(dig +short TXT "${sel}._domainkey.${domain}" 2>/dev/null | grep "^\"v=DKIM1")
if [ -n "$dkim_record" ]; then
selector="$sel"
break
fi
done
local dkim_record=$(dig +short TXT "${selector}._domainkey.${domain}" 2>/dev/null | grep "^\"v=DKIM1")
if [ -z "$dkim_record" ]; then
print_error " ✗ DKIM record NOT FOUND (tried selector: $selector)"
echo " Recommendation: Check your DKIM setup with selector name"
return 1
else
print_success " ✓ DKIM record found (selector: $selector)"
dkim_record=$(echo "$dkim_record" | sed 's/"//g')
# Extract key components
if echo "$dkim_record" | grep -q "p="; then
print_success " ✓ Public key (p=) present"
fi
if echo "$dkim_record" | grep -q "h=sha256"; then
print_success " ✓ Using SHA256 hashing (recommended)"
elif echo "$dkim_record" | grep -q "h=sha1"; then
print_warning " ⚠ Using SHA1 (consider upgrading to SHA256)"
fi
if echo "$dkim_record" | grep -q "t=y"; then
print_info " Testing mode enabled (t=y)"
fi
echo " Selector: $selector"
return 0
fi
}
################################################################################
# DMARC Check
################################################################################
check_dmarc() {
local domain="$1"
local dmarc_record=$(dig +short TXT "_dmarc.${domain}" 2>/dev/null | grep "^\"v=DMARC1")
if [ -z "$dmarc_record" ]; then
print_error " ✗ DMARC record NOT FOUND"
echo " Recommendation: Implement DMARC policy for maximum protection"
return 1
else
print_success " ✓ DMARC record found"
dmarc_record=$(echo "$dmarc_record" | sed 's/"//g')
echo " Record: $dmarc_record"
# Analyze DMARC policy
if echo "$dmarc_record" | grep -q "p=reject"; then
print_success " ✓ Policy: REJECT (strict enforcement)"
elif echo "$dmarc_record" | grep -q "p=quarantine"; then
print_warning " ⚠ Policy: QUARANTINE (less strict)"
elif echo "$dmarc_record" | grep -q "p=none"; then
print_warning " ⚠ Policy: NONE (monitoring only, no enforcement)"
fi
# Check for reporting
if echo "$dmarc_record" | grep -q "rua="; then
print_success " ✓ Aggregate reports enabled (rua=)"
fi
if echo "$dmarc_record" | grep -q "ruf="; then
print_success " ✓ Forensic reports enabled (ruf=)"
fi
# Check alignment
if echo "$dmarc_record" | grep -q "aspf=strict"; then
print_success " ✓ SPF alignment: STRICT"
fi
if echo "$dmarc_record" | grep -q "adkim=strict"; then
print_success " ✓ DKIM alignment: STRICT"
fi
return 0
fi
}
################################################################################
# Main Checks
################################################################################
print_header "SPF (Sender Policy Framework)"
check_spf "$TARGET_DOMAIN"
spf_status=$?
echo ""
print_header "DKIM (DomainKeys Identified Mail)"
check_dkim "$TARGET_DOMAIN"
dkim_status=$?
echo ""
print_header "DMARC (Domain-based Message Authentication, Reporting & Conformance)"
check_dmarc "$TARGET_DOMAIN"
dmarc_status=$?
echo ""
################################################################################
# Summary & Recommendations
################################################################################
print_header "Authentication Summary"
echo ""
print_info "Status Overview:"
if [ "$spf_status" = 0 ]; then
echo " ✓ SPF: Implemented"
else
echo " ✗ SPF: Missing"
fi
if [ "$dkim_status" = 0 ]; then
echo " ✓ DKIM: Implemented"
else
echo " ✗ DKIM: Missing"
fi
if [ "$dmarc_status" = 0 ]; then
echo " ✓ DMARC: Implemented"
else
echo " ✗ DMARC: Missing"
fi
echo ""
echo "🔐 Authentication Strength:"
if [ "$spf_status" = 0 ] && [ "$dkim_status" = 0 ] && [ "$dmarc_status" = 0 ]; then
print_success " ✓ EXCELLENT: All three authentication methods implemented"
echo " Your domain has maximum email authentication protection"
elif [ "$spf_status" = 0 ] && [ "$dkim_status" = 0 ]; then
print_warning " ⚠ GOOD: SPF and DKIM implemented (DMARC recommended)"
echo " Add DMARC for complete protection and reporting"
elif [ "$spf_status" = 0 ] || [ "$dkim_status" = 0 ]; then
print_warning " ⚠ PARTIAL: Only one authentication method active"
echo " Implement both SPF and DKIM for better deliverability"
else
print_error " ✗ CRITICAL: No authentication methods found"
echo " Email deliverability will be severely impacted"
fi
echo ""
echo "📋 Recommendations:"
echo ""
if [ "$spf_status" != 0 ]; then
echo " 1. Add SPF record:"
echo " - Go to your DNS provider"
echo " - Add TXT record for $TARGET_DOMAIN"
echo " - Example: v=spf1 include:_spf.google.com ~all"
echo ""
fi
if [ "$dkim_status" != 0 ]; then
echo " 2. Enable DKIM:"
echo " - Check your mail server control panel (cPanel/Plesk)"
echo " - Generate DKIM key for domain"
echo " - Add the TXT record to DNS"
echo ""
fi
if [ "$dmarc_status" != 0 ]; then
echo " 3. Implement DMARC:"
echo " - Add TXT record for _dmarc.$TARGET_DOMAIN"
echo " - Start with p=none for monitoring"
echo " - Example: v=DMARC1;p=none;rua=mailto:postmaster@$TARGET_DOMAIN"
echo ""
fi
echo "🔗 Additional Resources:"
echo " • Use email-diagnostics to check email delivery issues"
echo " • Use blacklist-check to verify IP reputation"
echo " • Monitor DMARC reports at your email provider"
echo ""
Reference in New Issue View Git Blame Copy Permalink