search

T13nn3s / Invoke-SpfDkimDmarc

PowerShell Module for checking SPF, DKIM and DMARC-record.
https://binsec.nl/powershell-script-for-spf-dmarc-and-dkim-validation/
MIT License
43 stars 8 forks source link

Get-SPFRecord fails on multiple line returned #21

Closed ChrisOD-AD closed 1 year ago

ChrisOD-AD commented 2 years ago

I have a minor change to Get-SPFRecord that fixes the behaviour if a zone has a LONG SPF record.

Changes:

    $SPF = $SPF -join ""
    $spfCnt = ([regex]::Matches($SPF, "v=spf1" )).count
    if ($SPF -eq $null) {
        $SpfAdvisory = "Domain does not have an SPF record. To prevent abuse of this domain, please add an SPF record to it."
    }
    if($spfCnt -gt 1) {
        $SpfAdvisory = "Domain has more than one SPF-record. One SPF record for one domain. This is explicitly defined in RFC4408"
    }
    Else {
        switch -Regex ($SPF) {
            '~all' {
                $SpfAdvisory = "An SPF-record is configured but the policy is not sufficiently strict."
            }
            '-all' {
                $SpfAdvisory = "An SPF-record is configured and the policy is sufficiently strict."
            }
            "\?all" {
                $SpfAdvisory = "Your domain has a valid SPF record but your policy is not effective enough."
            }
            '\+all' {
                $SpfAdvisory = "Your domain has a valid SPF record but your policy is not effective enough."
            }
            Default {
                $SpfAdvisory = "No qualifier found. Your domain has a SPF record but your policy is not effective enough."
            }
        }
    }
T13nn3s commented 2 years ago

Hi ChrisOD-AD, Do you have a specific example so that I can validate the current behavior and the behavior after the change?

ChrisOD-AD commented 2 years ago

Sure, look at hcf.com.au

Chris

On 31 May 2022 05:55, T13nn3s @.***> wrote:

Hi ChrisOD-AD, Do you have a specific example so that I can validate the current behavior and the behavior after the change?

— Reply to this email directly, view it on GitHubhttps://github.com/T13nn3s/Invoke-SpfDkimDmarc/issues/21#issuecomment-1141382362, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AROPX46LUMW6GIR3HYKSY2LVMT6J7ANCNFSM5WXLD5KQ. You are receiving this because you authored the thread.Message ID: @.***>

Confidentiality Note: This email and any accompanying documents are confidential, may be privileged and are intended only for the use of the intended recipient. If you are not the intended recipient, any use, dissemination, forwarding, printing or copying of this email and any accompanying documents is strictly prohibited. Please let the sender know immediately if you have received this by mistake and delete it immediately. Confidentiality Note: This email and any accompanying documents are confidential, may be privileged and are intended only for the use of the intended recipient. If you are not the intended recipient, any use, dissemination, forwarding, printing or copying of this email and any accompanying documents is strictly prohibited. Please let the sender know immediately if you have received this by mistake and delete it immediately.

T13nn3s commented 2 years ago

Thanks. I can confirm that the output of the script does not reflect the reality of the SPF record. I now see it as a bug in the script and am doing some further research. The SPF record is indeed very long and also contains errors (too many DNS lookups).

Your suggested change doesn't seem to be the solution yet. I need to look into this further.

ChrisOD-AD commented 2 years ago

Yes, HCF has a terrible SPF. Which TBF was why I remembered it. I'll email you later with some others that have valid sofa, but split reply.

Chris

On 31 May 2022 07:55, T13nn3s @.***> wrote:

Thanks. I can confirm that the output of the script does not reflect the reality of the SPF record. I now see it as a bug in the script and am doing some further research. The SPF record is indeed very long and also contains errors (too many DNS lookups).

Your suggested change doesn't seem to be the solution yet. I need to look into this further.

— Reply to this email directly, view it on GitHubhttps://github.com/T13nn3s/Invoke-SpfDkimDmarc/issues/21#issuecomment-1141445032, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AROPX43UYJHIYB2FOWCWSGDVMUMLHANCNFSM5WXLD5KQ. You are receiving this because you authored the thread.Message ID: @.***>

Confidentiality Note: This email and any accompanying documents are confidential, may be privileged and are intended only for the use of the intended recipient. If you are not the intended recipient, any use, dissemination, forwarding, printing or copying of this email and any accompanying documents is strictly prohibited. Please let the sender know immediately if you have received this by mistake and delete it immediately.

Confidentiality Note: This email and any accompanying documents are confidential, may be privileged and are intended only for the use of the intended recipient. If you are not the intended recipient, any use, dissemination, forwarding, printing or copying of this email and any accompanying documents is strictly prohibited. Please let the sender know immediately if you have received this by mistake and delete it immediately.

ChrisOD-AD commented 1 year ago

Here is some domains from our tenants that have long SPFs (i.e.: return an [array] in $SPF)

lifemark.ca hcf.com.au myhomecare.com.au vivir.com.au rsllifecare.org.au

From: T13nn3s @.> Sent: Tuesday, 31 May 2022 7:56 am To: T13nn3s/Invoke-SpfDkimDmarc @.> Cc: Chris O'Donoghue @.>; Author @.> Subject: Re: [T13nn3s/Invoke-SpfDkimDmarc] Get-SPFRecord fails on multiple line returned (Issue #21)

Thanks. I can confirm that the output of the script does not reflect the reality of the SPF record. I now see it as a bug in the script and am doing some further research. The SPF record is indeed very long and also contains errors (too many DNS lookups).

Your suggested change doesn't seem to be the solution yet. I need to look into this further.

— Reply to this email directly, view it on GitHubhttps://github.com/T13nn3s/Invoke-SpfDkimDmarc/issues/21#issuecomment-1141445032, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AROPX43UYJHIYB2FOWCWSGDVMUMLHANCNFSM5WXLD5KQ. You are receiving this because you authored the thread.Message ID: @.**@.>> Confidentiality Note: This email and any accompanying documents are confidential, may be privileged and are intended only for the use of the intended recipient. If you are not the intended recipient, any use, dissemination, forwarding, printing or copying of this email and any accompanying documents is strictly prohibited. Please let the sender know immediately if you have received this by mistake and delete it immediately. Confidentiality Note: This email and any accompanying documents are confidential, may be privileged and are intended only for the use of the intended recipient. If you are not the intended recipient, any use, dissemination, forwarding, printing or copying of this email and any accompanying documents is strictly prohibited. Please let the sender know immediately if you have received this by mistake and delete it immediately.

T13nn3s commented 1 year ago

@ChrisOD-AD,

I have tried to solve this 'problem' in the script, but am so far unsuccessful in doing so.

An SPF record may contain a maximum of 255 characters. Go over this limit, the SPF record is returned to the script as an array. Furthermore, an SPF record above 255 characters may not be validated correctly, which may result in an incorrect check and then the SPF record no longer functions properly.

My advice is to split your SPF records into multiple TXT records and then create 1 SPF record into which you include the other records.

So far, I can't get this fixed neatly in the script and I'll leave it as it is for now.

ChrisOD-AD commented 1 year ago

Thanks for looking at it still think your module is the best out there.

Cheers Chris

On 3 Nov 2022 07:54, T13nn3s @.***> wrote:

@ChrisOD-ADhttps://github.com/ChrisOD-AD,

I have tried to solve this 'problem' in the script, but am so far unsuccessful in doing so.

An SPF record may contain a maximum of 255 characters. Go over this limit, the SPF record is returned to the script as an array. Furthermore, an SPF record above 255 characters may not be validated correctly, which may result in an incorrect check and then the SPF record no longer functions properly.

My advice is to split your SPF records into multiple TXT records and then create 1 SPF record into which you include the other records.

So far, I can't get this fixed neatly in the script and I'll leave it as it is for now.

— Reply to this email directly, view it on GitHubhttps://github.com/T13nn3s/Invoke-SpfDkimDmarc/issues/21#issuecomment-1301079413, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AROPX475JJ3JWDCRIF7C4XTWGK2HTANCNFSM5WXLD5KQ. You are receiving this because you were mentioned.Message ID: @.***>

Confidentiality Note: This email and any accompanying documents are confidential, may be privileged and are intended only for the use of the intended recipient. If you are not the intended recipient, any use, dissemination, forwarding, printing or copying of this email and any accompanying documents is strictly prohibited. Please let the sender know immediately if you have received this by mistake and delete it immediately. Confidentiality Note: This email and any accompanying documents are confidential, may be privileged and are intended only for the use of the intended recipient. If you are not the intended recipient, any use, dissemination, forwarding, printing or copying of this email and any accompanying documents is strictly prohibited. Please let the sender know immediately if you have received this by mistake and delete it immediately.