~OT: status/replacement of "DMARC, DKIM and SPF Test System at NIST" ?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

~OT: status/replacement of "DMARC, DKIM and SPF Test System at NIST" ?

PGNet Dev
The list of DMARC et al deployment tools

        https://dmarc.org/resources/deployment-tools/#Message_Validation

identifies

        "DMARC, DKIM and SPF Test System at NIST"
         https://www.had-pilot.com/

as one of available tests.

afaict, it's the only (?) test site that provides simple checks of
*inbound* to locally-deployed, Postfix-integrated authentication
services; e.g.,

        bad-spf - Ask for a message that will fail SPF checks. A reply (sent to
the MAIL FROM address) will be sent from the test system. This reply
will have a spoofed MAIL FROM address, that will result in a failed SPF
check. This is to test receiver SPF checking code.

        bad-dkim - Ask for a message that will fail DKIM validation. A reply
(sent to the MAIL FROM address) will be sent from the test system. This
reply will have a DKIM signature that cannot be validated by the DKIM
key stored in the DNS with the stated selector.

        non-align - Ask for a message that will fail DMARC policy validation. A
reply (sent to the MAIL FROM address) will be sent from the test system.
The message has a spoofed "from:" address that should fail DMARC
alignment checks.

The trigger address,

        [hidden email]

appears to be non-functional. Seems to be missing a DNS record ...

Anyone here know of its status?

&/or, is there another available tool that does the same -- testing inbound?
Reply | Threaded
Open this post in threaded view
|

Re: ~OT: status/replacement of "DMARC, DKIM and SPF Test System at NIST"?

Scott Kitterman-4
On Monday, March 18, 2019 02:15:30 PM PGNet Dev wrote:
> &/or, is there another available tool that does the same -- testing inbound?

If you don't have one already, set up a gmail account that autoforwards to
you.

Send your test mail to this gmail address.

Inspect the headers when you get it back.  It's all there.

Scott K
Reply | Threaded
Open this post in threaded view
|

Re: ~OT: status/replacement of "DMARC, DKIM and SPF Test System at NIST"?

PGNet Dev
On 3/18/19 2:27 PM, Scott Kitterman wrote:
> On Monday, March 18, 2019 02:15:30 PM PGNet Dev wrote:
>> &/or, is there another available tool that does the same -- testing inbound?
>
> If you don't have one already, set up a gmail account that autoforwards to
> you.
>
> Send your test mail to this gmail address.
>
> Inspect the headers when you get it back.  It's all there.

Auto-fwd is easy enough, but I'm not clear ...

How do you spoof each of the specific failure triggers mentioned with
this method?
Reply | Threaded
Open this post in threaded view
|

Re: ~OT: status/replacement of "DMARC, DKIM and SPF Test System at NIST"?

Scott Kitterman-4
On Monday, March 18, 2019 02:39:42 PM PGNet Dev wrote:

> On 3/18/19 2:27 PM, Scott Kitterman wrote:
> > On Monday, March 18, 2019 02:15:30 PM PGNet Dev wrote:
> >> &/or, is there another available tool that does the same -- testing
> >> inbound?>
> > If you don't have one already, set up a gmail account that autoforwards to
> > you.
> >
> > Send your test mail to this gmail address.
> >
> > Inspect the headers when you get it back.  It's all there.
>
> Auto-fwd is easy enough, but I'm not clear ...
>
> How do you spoof each of the specific failure triggers mentioned with
> this method?

Turn off your DKIM milter, send.

Take your server's IP address out of your SPF record, send.

Vary, repeat as needed.  There aren't that many cases.

Scott K