dotbatmanno / psget-domain-mailinfo Goto Github PK

The CLI output is not reusable in the pipeline due to use of Write-Host (!).
Need to switch to using Write-Object

The script will not be able to report the correct information if the site has split-dns or you have a need to check records from regional DNS servers.

A command line or configuration file option should be available to specify which DNS server to send the requests to.

[Feature request proposed by colleague]

Add check to claim that a domain is Spoofable

• This test should be on by default, but also be disabled with the flag -CheckSpoofable 0

• Output should have a flag for IsSpoofable.

• Another graph should be created.

Flag should be True if any of the following conditions are met:

• Lack of an SPF or DMARC record
• SPF record never specifies ~all, -all
• DMARC policy is set to p=none or is nonexistent

Add support / recommendation for adding a blank DKIM record to domains that are not used for e-mail
*._domainkey. TXT "v=DKIM1; p="

DKIM check should identify blank DKIM record to add to scoring capability.

See https://www.gov.uk/guidance/protect-domains-that-dont-send-email

Clean up main script by moving check to see if CSVFile is available for Write to a function.

To support StartTLS we should also implement and verify DANE.

Add CheckDANE as another option, currently the default could be False

https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities

The script skips checking for DMARC, and possibly other policies, if there is no MX record.
This could be considered a bug, however the script does say #N/A rather than None.

This default of not checking should be highlighted to users. If possible consider adding an option to force checking of specific / all policies, regardless of MX records.

To recreate the issue run the script against any domain that has a DMARC policy but no MX record.
The domain this was noticed for was coronavirus.gov, see https://internet.nl/mail/coronavirus.gov/399588/.

The documentation needs to be updated to demonstrate the StartTLS testing.

Should also add the testing of StartTLS as an (optional) command line parameter.

One domain may use multiple DKIM selectors, e.g. Microsoft Exchange Online uses Selector1 and Selector2 by default.

Add support for checking DNSSEC

DNSSEC is really required to ensure all the other policies we are verifying are working as intended.

https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

If the queried TXT record is broken over multiple lines the script will not concatenate the parts into one string.

Reproducing the issue
Query a domain that has a TXT record, e.g. SPF, that is long and broken over multiple lines.

Expected behavior
The script should join all lines of the returned TXT record into one string.

Generate a pie-chart showing results in an easily displayed way

Add code to allow the DKIM Selector(s) to be specified per domain in the text file that is read

• Support CSV file
• Detect list separator used in CSV

If a query for _domainkey. domainname. tld returns NOERROR then there is a high probability that there is at least one selectlr. _domainkey entry?!

In the case of Microsoft Online Selector1._domainkey.domainname.tld should be a CNAME pointing to onmicrosoft.com where the actual DKIM Selector TXT record is published.

If so, return Selector1=selector1-domainname-tld._domainkey.domainname.onmicrosoft.com

Add verification that the . (dot) MX record has a preference of 0.

Allow users to check more than one domain from the command line interface.

Use a CSV file to define the score to give, this allows for customization by user.

Combine existence of records with strength of records to give total score.

SPF Qualifier | Policy   | Protection
-----------------------------------
+all          | Pass     | None
~all          | Softfail | Weak
-all          | Fail     | Strong

SPF, DKIM and DMARC existence could score as shown below:

SPF_DKIM_DMARC      | Protection
-------------------------------------
False, False, False | None
False, False, True  | None
False, True, False  | Weak
False, True, True   | Weak
True, False, False  | Weak
True, False, True   | Strong
True, True, False   | Strong
True, True, True    | Strong