0

I have a small program designed to check the existence of these three mail records to counter spoofing. It seems to work on specific domains however they seem to be setup in a case by case basis. My question is whats a more robust way to check these records. The code is here: https://gist.github.com/amlwwalker/f445932d2fdb0f9f9a5e457c1894bf7d Examples:

Ryanair.com:

result:  v=spf1 a mx include:mail1.ryanair.com include:mail2.ryanair.com ~all
err:  lookup _dmarc.ryanair.com on 172.16.4.1:53: no such host
err:  lookup dkim._domainkey.ryanair.com on 172.16.4.1:53: no such host

Ryanair Email header:

Authentication-Results: mx.google.com;
       dkim=pass header.i=@care.ryanair.com;
       spf=pass (google.com: domain of info@care.ryanair.com designates 209.235.250.215 as permitted sender) smtp.mailfrom=info@care.ryanair.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=15below; d=care.ryanair.com; h=MIME-Version:From:To:Date:Subject:Message-ID:Content-Type; i=info@care.ryanair.com; bh=MCorT6FfWGOmISJQSzdv4YLmKfg=; b=eXcQvy0odmzIAYy11bfM8OsoiXziin5E1hbWHvxlY6Q+KSpZr6/5OiUZ4EiNoCpNwFrciKB9Yj8G
   wmZOZwxQd3PW05+2bnu+8oKMPij/AyAEAi2tJ0TBEZxM7BOsno84L3eZ0BQFZvog6bW9UQE1fJCQ
   aoQYXPgsHV6dzWjmHYo=

So to me that looks like it has DKIM and SPF. The code doesn't find a DKIM record though.

marvelapp.com

result:  v=spf1 include:mailgun.org include:spf.mandrillapp.com include:spf1 include:mail.zendesk.com include:spf.mail.intercom.io -all
err:  lookup _dmarc.marvelapp.com on 172.16.4.1:53: no such host
err:  lookup dkim._domainkey.marvelapp.com on 172.16.4.1:53: no such host

Marvelapp Email Header:

Received-SPF: pass (google.com: domain of ml-bounce-newsletter@ml.mailersend.com designates 31.193.196.244 as permitted sender) client-ip=31.193.196.244;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ml.mailersend.com;
       spf=pass (google.com: domain of ml-bounce-newsletter@ml.mailersend.com designates 31.193.196.244 as permitted sender) smtp.mailfrom=ml-bounce-newsletter@ml.mailersend.com

So what I don't understand is why in some cases dkim._domainkey.domain.TLD is the correct way to find the dkim key, and sometimes its clearly not (google seems to find it, but how? Whats the best way to look the dkim key up?

I bascially want that code snippet to return the same result as going to "Show Original" in Gmail does

Thanks

amlwwalker
  • 3,161
  • 4
  • 26
  • 47

1 Answers1

2

The DKIM selector is not necessarily called dkim. In the Ryanair example, the selector is a rather random 15below (From the s= item in the DKIM signature header), so you would need to look up 15below._domainkey.ryanair.com.

Synchro
  • 35,538
  • 15
  • 81
  • 104
  • Thanks for your response. Is this the standard? For instance from one emailer I can see that there is a `d=` which contains the domain where the `dkim` key is stored. The ryanair example just has the domain stored in the `d=` field and you have to add the `15below._domainkey.` to it. Is there a standard set of rules for finding the domain where the key is stored? – amlwwalker Oct 13 '16 at 11:06
  • Yep - it's right [here in the RFC](http://dkim.org/specs/rfc4871-dkimbase.html#dkim-sig-hdr). If you're going to parse DKIM headers, you **really** need to read the spec! – Synchro Oct 13 '16 at 11:09