Email Authentication Tester
Test SPF/DKIM/DMARC

HAD Email Test Tool

In recent years the IETF has been making a range of efforts to secure the email infrastructure and its use. Infrastructure protection includes source authentication by RFC 4408 SPF, message integrity authentication by RFC 6376 DKIM, and domain owner feedback on the effectiveness of these tools by DMARC (www.dmarc.org).

The List of Tests

There are currently three tests available, with more planned in the future. One test for senders, and two for receivers. The tests are triggered by a command in the subject of the email to tester@email-test.had.dnsops.gov.

The test system allows for 12 test messages a day, with five minutes between tests. This is to prevent the system being used for abuse. Frequent abuse of the system will result in that sender blacklisted and messages sent to tester@email-test.had.dnsops.gov will be discarded.

  • test - See your DNS-based email authentication stance from the outside. Email messages to tester@email-test.had.dnsops.gov will have SPF, DKIM checks performed, and a test for DMARC. A reply will be sent with the findings. The reply is sent to the address in the MAIL FROM of the request.
  • bad-spf - Ask for a message that will fail SPF checks. A reply (sent to the MAIL FROM address) will be sent from the test system. This reply will have a spoofed MAIL FROM address, that will result in a failed SPF check. This is to test receiver SPF checking code.
  • bad-dkim - Ask for a message that will fail DKIM validation. A reply (sent to the MAIL FROM address) will be sent from the test system. This reply will have a DKIM signature that cannot be validated by the DKIM key stored in the DNS with the stated selector.
  • non-align - Ask for a message that will fail DMARC policy validation. A reply (sent to the MAIL FROM address) will be sent from the test system. The message has a spoofed "from:" address that should fail DMARC alignment checks.
  • aggreport - Returns a sample DMARC aggregate report based on the single message sent. It is not exactly in conformance with the DMARC specification in that the report is sent as text in the message body and not a zipped attachment. It is also sent as a reply to the sender, not as a regular report to the listed address in any discovered DMARC RR.