I regularly check SPF records for syntax and entries during Exchange migrations or when troubleshooting mail flow. The SpfAnalyzer module from Jiri Formacek can help with that. In this blog post, I will show you how it works.
What is SPF?
“Sender Policy Framework (SPF) is an email authentication method that ensures the sending mail server is authorized to originate mail from the email sender’s domain.[1][2] This authentication only applies to the email sender listed in the “envelope from” field during the initial SMTP connection. If the email is bounced, a message is sent to this address,[2] and for downstream transmission it typically appears in the “Return-Path” header. To authenticate the email address which is actually visible to recipients on the “From:” line, other technologies, such as DMARC, must be used. Forgery of this address is known as email spoofing,[3] and is often used in phishing and email spam.
The list of authorized sending hosts and IP addresses for a domain is published in the DNS records for that domain. Sender Policy Framework is defined in RFC 7208 dated April 2014 as a “proposed standard”.[4]“
Source: https://en.wikipedia.org/wiki/Sender_Policy_Framework
What does the SpfAnalyzer module do?
The module from Jiri Formacek, located at https://github.com/GreyCorbel/SpfAnalyzer, provides commands that help retrieve data defining the security policy for sending mail for Authorizing Use of Domains in Email.
In short, it parses the information and allows IP addresses to be checked against SPF records for a specific domain, while also enabling the retrieval and parsing of DMARC records for that domain.
I wrote a small function for retrieving details from mail Domains a while back, but that one just reports the data and doesn’t verify IP Addresses against it, for example. You can find that blog post here: https://powershellisfun.com/2022/06/19/retrieve-email-dns-records-using-powershell/
Features and limitations
Module is cross-platform and relies on DnsClient.NET package.
Module provides additional helper commands that return list of IP addresses and IP subnets found in publshed policy.
IPv4 and IPv6 addresses are supported.
Only Powershell Core edition is supported, and lowest version where module works is 7.4 – this is because of dependency on .net8.0.
Macro expansion in exists mechanism does not yet cover complete specification in RFC 7208 – looking for collaborators to enhance parsing. Macros in include method aren’t currently expanded and such record is not tried to be parsed. Hoever, such record is processed by Test-SpfHost command
Installing the module
You can run this to install the module:
Install-Module -Name SpfAnalyzer
Or, when you have PSResouceGet available on your system, by running:
Install-PSResource -Name SpfAnalyzer
After installation, these Cmdlets are available:
How to use
Warnings about invalid IP Addresses
Some of the Cmdlets return warnings for invalid IP addresses when used with specific domains. For example, for my powershellisfun.com, it warns me about 103.115.9.249 and 103.115.10.249. They seem correct to me at least… (They are from WordPress, actually)
Get-DkimRecord
You can use this to validate if DKIM records are available for a specific domain. For example:
Get-DmarcRecord
Using this Cmdlet, you can retrieve the DMARC record for a specific domain. For example:
Get-SPFRecord
This will display the SPF record for a domain. In this example, I used the Parameter DnsServerIpAddress to specify a specific DNS server IP Address (The Parameter is also available in other cmdlets). For instance:
Get-SpfRecordEntries
This is in addition to the Get-SPFRecord Cmdlet and shows the entries in a lovely table:
Get-SpfRecordIpAddress
This Cmdlet will show you all the IP addresses in the SPF record, for example:
I used Microsoft.com as the Domain because powershellisfun.com has no IP addresses in its SPF record.
Get-SpfRecordIpNetwork
This will show the IP ranges of the SPF record it finds, for example:
Test-SpfHost
And this is what makes the Module so lovely to work with, the testing part 🙂 For example, to check if the 40.92.0.2 IP address is inside my powershellisfun.com SPF record, you can run:
If it isn’t, it will return nothing. For example:
Test-SpfRecord
You can use this to test the SPF record without actually using DNS, sort of a dry-run test of your proposed SPF record change. For example:
The example above was correctly formatted for the non-existing domain testdomainspif.com. But if I test it with an IP Address that isn’t in the SPF record, it will return nothing:
Wrapping up
And that’s how you use the SpfAnalyzer module, nice for reporting and testing SPF and DMARC things using PowerShell. Have a lovely weekend!
Hi Haram
This is a very useful tool for sure. I have been working with Exchange servers and Exchange Online for years and with this tool I can quickly check up on a number of domains fast and easy.
Thank you.
Yes, same here but for migrations 😅
oh’s