Verifying DNS records for Exchange Online is something that I do for migrations or security scans. I wrote a function for that in the past, but the DomainHealthChecker module is pretty extensive! In this small blog post, I will show you how to use it.
What does the DomainHealthChecker module do?
“Invoke-SpfDkimDmarc is a function within the PowerShell module DomainHealthChecker that checks SPF, DKIM, BIMI, and DMARC records for one or more domains. After installing the module, you can use Invoke-SpfDkimDmarc to check all three records at once. You can also check the records individually by using the cmdlets Get-SPFRecord, Get-DKIMRecord, Get-DNSSec, Get-BIMIrecord or Get-DMARCRecord to retrieve the record for a single domain.”
Source: https://github.com/T13nn3s/Invoke-SpfDkimDmarc/ (Martien van Dijk)
Installation
You can install the module from the PowerShell Gallery using:
Install-Module -Name DomainHealthChecker
Or, when you have PSResourceGet installed, you can use:
Install-PSResouce -Name DomainHealthChecker
After installation, these Cmdlets are available:
Using the Module
Below are all the separate CmdLets from the Module and how they work.
Get-BIMIRecord
In case you were wondering, BIMI stands for Brand Indicators for Message Identification 🙂 It’s a DNS TXT Record that enables companies to display their brand logo next to sent emails. You can query if a Domain has one configured using the Get-BIMIRecord CmdLet, for example:
I stored the output in a $Record variable and output it in a Format-List because it didn’t fit my window due to the long BimiAdversory. My domain doesn’t have one configured (yet), and it shows what it queried, reports that it didn’t find any BIMI record, and displays advice.
Get-DKIMRecord
The DKIM (Domain Keys Identified Mail) record is a DNS TXT Record that adds a digital signature to emails. You can query a domain for that using Get-DKIMRecord. For example:
Get-DMARCRecord
The DMARC (Domain-based Message Authentication Reporting and Conformance) record protects email domains from phishing and spoofing by telling receiving mail servers how to handle emails that fail SPF or DKIM checks. You can use Get-DMARCRecord to query a domain, for example:
Get-DNSSEC
DNSSEC (Domain Name System Security Extensions) is a suite of protocols that adds cryptographic signatures to DNS records to ensure integrity and authenticity. You can check if a domain is DNSSEC-enabled by using Get-DNSSEC. For example:
Get-SPFRecord
An SPF (Sender Policy Framework) record is a DNS TXT record that lists all servers authorized to send email from a domain. You can check a domain’s SPF record using Get-SPFRecord. For example:
Invoke-MtaSts
MTA-STS (Mail Transfer Agent Strict Transport Security) is an email security standard that enforces encrypted TLS connections for mail transfer, preventing man-in-the-middle and downgrade attacks. You can use Invoke-MtaSts to test if a domain has this configured, for example:
I don’t have this configured, and the mtaRecord field was too long to display (It didn’t find the record and outputted TXT records from my domain).
Invoke-SpfDkimDmarc
This CmdLet combines all the separate CmdLets shown above. Running Invoke-SpfDkimDmarc will return this for my domain, for example:
You can also use the -File parameter to specify a file containing domain names to check multiple domains.
Update-ModuleDomainHealthChecker
This CmdLet will update your module to a newer version, if available. You can run it with -Verbose to check its current version, too.
More information
Readme: https://github.com/T13nn3s/Invoke-SpfDkimDmarc/blob/main/README.md
Changelog: https://github.com/T13nn3s/Invoke-SpfDkimDmarc/blob/main/CHANGELOG
Wrapping up
And that’s how you can easily query DNS records regarding mail for a specific domain. Easy, and very useful! Have a lovely weekend!