├── CODE_OF_CONDUCT.md ├── LICENSE ├── README.md ├── Show-AntiSpoof.ps1 └── dkimlist.txt /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as 6 | contributors and maintainers pledge to making participation in our project and 7 | our community a harassment-free experience for everyone, regardless of age, body 8 | size, disability, ethnicity, sex characteristics, gender identity and expression, 9 | level of experience, education, socio-economic status, nationality, personal 10 | appearance, race, religion, or sexual identity and orientation. 11 | 12 | ## Our Standards 13 | 14 | Examples of behavior that contributes to creating a positive environment 15 | include: 16 | 17 | * Using welcoming and inclusive language 18 | * Being respectful of differing viewpoints and experiences 19 | * Gracefully accepting constructive criticism 20 | * Focusing on what is best for the community 21 | * Showing empathy towards other community members 22 | 23 | Examples of unacceptable behavior by participants include: 24 | 25 | * The use of sexualized language or imagery and unwelcome sexual attention or 26 | advances 27 | * Trolling, insulting/derogatory comments, and personal or political attacks 28 | * Public or private harassment 29 | * Publishing others' private information, such as a physical or electronic 30 | address, without explicit permission 31 | * Other conduct which could reasonably be considered inappropriate in a 32 | professional setting 33 | 34 | ## Our Responsibilities 35 | 36 | Project maintainers are responsible for clarifying the standards of acceptable 37 | behavior and are expected to take appropriate and fair corrective action in 38 | response to any instances of unacceptable behavior. 39 | 40 | Project maintainers have the right and responsibility to remove, edit, or 41 | reject comments, commits, code, wiki edits, issues, and other contributions 42 | that are not aligned to this Code of Conduct, or to ban temporarily or 43 | permanently any contributor for other behaviors that they deem inappropriate, 44 | threatening, offensive, or harmful. 45 | 46 | ## Scope 47 | 48 | This Code of Conduct applies both within project spaces and in public spaces 49 | when an individual is representing the project or its community. Examples of 50 | representing a project or community include using an official project e-mail 51 | address, posting via an official social media account, or acting as an appointed 52 | representative at an online or offline event. Representation of a project may be 53 | further defined and clarified by project maintainers. 54 | 55 | ## Enforcement 56 | 57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 58 | reported by contacting the project team at dmstork@stalpaert.nl. All 59 | complaints will be reviewed and investigated and will result in a response that 60 | is deemed necessary and appropriate to the circumstances. The project team is 61 | obligated to maintain confidentiality with regard to the reporter of an incident. 62 | Further details of specific enforcement policies may be posted separately. 63 | 64 | Project maintainers who do not follow or enforce the Code of Conduct in good 65 | faith may face temporary or permanent repercussions as determined by other 66 | members of the project's leadership. 67 | 68 | ## Attribution 69 | 70 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, 71 | available at 72 | 73 | [homepage]: https://www.contributor-covenant.org 74 | 75 | For answers to common questions about this code of conduct, see 76 | 77 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | # MIT License 2 | 3 | Copyright (c) 2020 Dave Stork 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Show-AntiSpoof 2 | 3 | PowerShell based script that checks every accepted domain of Exchange and will show the DNS configuration of SPF and DMARC for each domain using an external DNS server. Alternatively you can request the same information on a specific domain not necessarily configured as Accepted Domain. 4 | 5 | ## Author 6 | 7 | - Dave Stork 8 | - dmstork at stalpaert.nl 9 | - [Dave Stork's IMHO](https://dirteam.com/dave) 10 | - [Dave Stork on Twitter](https://twitter.com/dmstork) 11 | 12 | ## License 13 | 14 | MIT License Copyright (c) 2018-2020 Dave Stork 15 | 16 | ## Version 17 | 18 | - Version 1.00 17 August 2018 19 | - Version 1.01 20 August 2018 20 | - Version 1.02 21 August 2018 21 | - Version 1.03 12 December 2019 22 | - Version 1.04 07 Februari 2020 23 | - Version 1.10 30 October 2020 24 | - Version 1.10 30 October 2020 25 | - Version 1.20 13 Februari 2022 26 | - Version 1.30 29 April 2022 27 | - Version 1.40 22 July 2022 28 | 29 | ### Revision History 30 | 31 | - 1.00 Private release 32 | - 1.01 Added support for custom DNS server at commandline 33 | - 1.02 Added support for custom domain at commandline, overrules checking Exchange 34 | - 1.03 Added MX records lookup 35 | - 1.04 Small bugfixes: Using Get-AcceptedDomains correctly, better DNS server check. 36 | - 1.10 Added more extensive DKIM checks for known selectors AND added parameter to check for a custom selector 37 | - 1.20 Added MTA-STS and TLS-RPT checks 38 | - 1.30 Added batch file support for domains. Changed default DNS server to 1.1.1.1. Fixed AcceptedDomains issue with Exchange 39 | - 1.40 Added BIMI support. More effecient use of functions, some small bugfixes 40 | 41 | ## Known Limitations 42 | 43 | - Required to be run in Exchange PowerShell in order to check all of your accepted domains in one run. Alternatively use batch file support. 44 | - Can't resolve the exact DKIM selector DNS record as that is a variable in most cases. And due to security, most domain services don't allow complete zone transfers, which you would need to find an unknown record. Since v1.1 you can add a customer record though. 45 | - Requires at last Windows Server 2012, or PowerShell v3.0 due to Resolve-DnsName 46 | - DNS check not working as intended, but should be no issue 47 | 48 | ## Link 49 | 50 | [Dave Stork's IMHO](https://dirteam.com/dave) 51 | 52 | ## Description 53 | 54 | Run the script in Exchange PowerShell (remote or in your current environment) and a report will be show with the current external SPF and DMARC configuration. Edit the variable if you require another default DNS server. Without Exchange PowerShell, you can run the script and get the same information by explicitly stating a domain. 55 | 56 | ## Examples 57 | 58 | .\Show-AntiSpoof 59 | Checks all Exchange Accepted Domains 60 | 61 | .\Show-AntiSpoof -TranscriptOn 62 | Enables the creation of a transscript file in the same folder as where the script is run. 63 | 64 | .\Show-AntiSpoof -DNSServer 1.2.3.4 65 | Overrides the default DNS server (8.8.8.8) with one specified. 66 | 67 | .\Show-AntiSpoof -DomainName contoso.com 68 | Overrides checking Accepted Domains from the Exchange environment and checks only the provides domain 69 | No Exchange PowerShell required when this is used. 70 | 71 | .\Show-AntiSpoof -DomainName contoso.com -Selector Selector1 72 | Will check whether the specified domain has the DKIM selector specified by the -Selector parameter. 73 | 74 | .\Show-AntiSpoof -DomainBatchfile domains.csv 75 | Will check all domains in CSV file with header "DomainName" 76 | -------------------------------------------------------------------------------- /Show-AntiSpoof.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Show-AntiSpoof.ps1 4 | 5 | PowerShell based script that checks every accepted domain of Exchange and will 6 | show the DNS configuration of SPF and DMARC for each domain using an external 7 | DNS server. Alternatively you can request the same information on a specific 8 | domain not necessarily configured as Accepted Domain. 9 | 10 | Dave Stork et. al. 11 | dmstork at stalpaert.nl 12 | https://dirteam.com/dave 13 | 14 | .LICENSE 15 | MIT License 16 | 17 | Copyright (c) 2018-2020 Dave Stork 18 | 19 | Permission is hereby granted, free of charge, to any person obtaining a copy 20 | of this software and associated documentation files (the "Software"), to deal 21 | in the Software without restriction, including without limitation the rights 22 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 23 | copies of the Software, and to permit persons to whom the Software is 24 | furnished to do so, subject to the following conditions: 25 | 26 | The above copyright notice and this permission notice shall be included in all 27 | copies or substantial portions of the Software. 28 | 29 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 30 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 31 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 32 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 33 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 34 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 35 | SOFTWARE. 36 | 37 | .VERSION 38 | Version 1.00 17 August 2018 39 | Version 1.01 20 August 2018 40 | Version 1.02 21 August 2018 41 | Version 1.03 12 December 2019 42 | Version 1.04 07 Februari 2020 43 | Version 1.10 30 October 2020 44 | Version 1.20 13 Februari 2022 45 | Version 1.30 29 April 2022 46 | Version 1.40 22 July 2022 (Current) 47 | 48 | Revision History 49 | --------------------------------------------------------------------- 50 | 1.00 Private release 51 | 1.01 Added support for custom DNS server at commandline 52 | 1.02 Added support for custom domain at commandline, overrules checking Exchange 53 | 1.03 Added MX records lookup 54 | 1.04 Small bugfixes: Using Get-AcceptedDomains correctly, better DNS server check. 55 | 1.10 Added more extensive DKIM checks for known selectors AND added parameter to check for a custom selector 56 | 1.20 Added MTA-STS and TLS-RPT checks 57 | 1.30 Added batch file support for domains. Changed default DNS server to 1.1.1.1. Fixed AcceptedDomains issue with Exchange 58 | 1.40 Added BIMI support. More effecient use of functions, some small bugfixes 59 | 60 | KNOWN LIMITATIONS: 61 | - Required to be run in Exchange PowerShell in order to check all of your accepted domains in one run. 62 | - Can't resolve the exact DKIM selector DNS record as that is a variable in most cases. 63 | And due to security, most domain services don't allow complete zone transfers, 64 | which you would need to find an unknown record. Since v1.1 you can add a customer record though. 65 | - Requires at last Windows Server 2012, or PowerShell v3.0 due to Resolve-DnsName 66 | 67 | .LINK 68 | https://dirteam.com/dave 69 | 70 | .DESCRIPTION 71 | Run the script in Exchange PowerShell (remote or in your current environment) and a report will be show with 72 | the current external SPF and DMARC configuration. Edit the variable if you require another default DNS server. 73 | Without Exchange PowerShell, you can run the script and get the same information by explicitly stating a domain. 74 | 75 | .EXAMPLE 76 | .\Show-AntiSpoof 77 | Checks all Exchange Accepted Domains 78 | 79 | .\Show-AntiSpoof -TranscriptOn 80 | Enables the creation of a transscript file in the same folder as where the script is run. 81 | 82 | .\Show-AntiSpoof -DNSServer 1.2.3.4 83 | Overrides the default DNS server (8.8.8.8) with one specified. 84 | 85 | .\Show-AntiSpoof -DomainName contoso.com 86 | Overrides checking Accepted Domains from the Exchange environment and checks only the provides domain 87 | No Exchange PowerShell required when this is used. 88 | 89 | .\Show-AntiSpoof -DomainName contoso.com -Selector Selector1 90 | Will check whether the specified domain has the DKIM selector specified by the -Selector parameter. 91 | 92 | .\Show-AntiSpoof -DomainBatchfile domains.csv 93 | Will check all domains in CSV file with header "DomainName" 94 | 95 | #> 96 | 97 | # Add support for default parameters 98 | [CmdletBinding()] 99 | 100 | # Add parameters 101 | Param( 102 | [switch]$TranscriptOn, 103 | [String]$DNSServer, 104 | [String]$DomainName, 105 | [String]$Selector, 106 | [String]$DomainBatchFile 107 | ) 108 | 109 | #Initialize constants 110 | $DNSServerDefault = "1.1.1.1" 111 | 112 | If ($DNSServer -ne ""){ 113 | Try { 114 | $temp = Resolve-DnsName -Server $DNSServer -Type A -Name "www.internet.nl" -ErrorAction Stop 115 | Write-Output "Using IP $DNSServer as DNS server" 116 | } Catch { 117 | $DefaultColor = $host.ui.RawUI.ForegroundColor 118 | $host.ui.RawUI.ForegroundColor = "Red" 119 | $ErrorMessage = $_.Exception.Message 120 | Write-Output "Error with DNS server, using default." 121 | $host.ui.RawUI.ForegroundColor = $DefaultColor 122 | $DNSServer = $DNSServerDefault 123 | } 124 | } else { 125 | Write-Output "Using default DNS $DNSServerDefault" 126 | $DNSServer = $DNSServerDefault 127 | } 128 | 129 | # Start Transcript if requested 130 | If ($TranscriptOn -eq $true) { 131 | # Defining logtime variable to be used in logging/default output folder 132 | $LogTime = Get-Date -Format "yyyyMMdd_hhmm_ss" 133 | 134 | # Initialize logging 135 | $TranscriptFile = "AntiSpoof_"+$LogTime+".txt" 136 | Start-Transcript -Path $TranscriptFile 137 | } 138 | 139 | # Overriding Exchange Accepted Domains 140 | # If $Domain and $DomainFile are emtpy, use AcceptedDomains 141 | If (($DomainName -eq "") -and ($DomainBatchFile -eq "")){ 142 | $DomainOption = 1 143 | $AcceptedDomains = Get-AcceptedDomain 144 | # if $Domain is not empty and $Domainfile is empty, check single domain 145 | } ElseIf (($Null -ne $DomainName) -and ($DomainBatchFile -eq "")) { 146 | $DomainOption = 2 147 | $AcceptedDomains = $DomainName 148 | # If $Domain is empty 149 | } Elseif ($null -ne $DomainBatchFile) { 150 | $DomainOption = 3 151 | $AcceptedDomains = Import-Csv $DomainBatchFile 152 | } 153 | 154 | Function Get-MX { 155 | Param($CheckDomain) 156 | 157 | # Check MX record 158 | Try { 159 | $MXRecords = Resolve-DnsName -Server $DNSServer -Type MX -Name $CheckDomain -DNSOnly -ErrorAction Stop 160 | $MXNumber = ($MXRecords).Count 161 | $MXcounter=1 162 | 163 | $DefaultColor = $host.ui.RawUI.ForegroundColor 164 | $host.ui.RawUI.ForegroundColor = "Magenta" 165 | Write-Output "Number of MX Records: $MXNumber" 166 | $host.ui.RawUI.ForegroundColor = $DefaultColor 167 | 168 | ForEach ($MXRecord in $MXRecords) { 169 | $MXNameExchange = $MXRecord.NameExchange 170 | $MXPreference = $MXRecord.Preference 171 | $MXTTL = $MXRecord.TTL 172 | 173 | If ($null -ne $MXNameExchange) { 174 | $DefaultColor = $host.ui.RawUI.ForegroundColor 175 | $host.ui.RawUI.ForegroundColor = "Magenta" 176 | Write-Output "MX$MXCounter targets $MXNameExchange with preference $MXPreference and TTL $MXTTL" 177 | $host.ui.RawUI.ForegroundColor = $DefaultColor 178 | } 179 | $MXcounter++ 180 | } 181 | } Catch { 182 | $ErrorMessage = "MX: "+$_.Exception.Message 183 | Show-ErrorMessage($ErrorMessage) 184 | } 185 | } 186 | 187 | Function Get-SPF { 188 | Param($CheckDomain) 189 | 190 | # Check SPF record 191 | Try { 192 | $TXTRecords = Resolve-DnsName -Server $DNSServer -Type TXT -Name $CheckDomain -DNSOnly -ErrorAction Stop 193 | ForEach ($TXTRecord in $TXTRecords) { 194 | $TXTString = $TXTRecord.Strings 195 | 196 | If (($null -ne $TXTString) -and ($TXTString.StartsWith("v=spf1 "))) { 197 | $DefaultColor = $host.ui.RawUI.ForegroundColor 198 | $host.ui.RawUI.ForegroundColor = "Cyan" 199 | Write-Output "SPF: $TXTString" 200 | $host.ui.RawUI.ForegroundColor = $DefaultColor 201 | } ElseIf ($null -eq $TXTString) { 202 | $DefaultColor = $host.ui.RawUI.ForegroundColor 203 | $host.ui.RawUI.ForegroundColor = "Red" 204 | Write-Output "$AcceptedDomain has no SPF record" 205 | $host.ui.RawUI.ForegroundColor = $DefaultColor 206 | } 207 | } 208 | } Catch { 209 | $ErrorMessage = "SPF: "+$_.Exception.Message 210 | Show-ErrorMessage($ErrorMessage) 211 | } 212 | } 213 | 214 | Function Get-DMARC { 215 | Param($CheckDomain) 216 | 217 | # Check DMARC record 218 | Try { 219 | $DMARCDomain = "_dmarc."+$CheckDomain 220 | $DMARCRecord = Resolve-DnsName -Server $DNSServer -Type TXT -Name $DMARCDomain -Dnsonly -ErrorAction Stop 221 | $DMARCString = $DmarcRecord.Strings 222 | 223 | $DefaultColor = $host.ui.RawUI.ForegroundColor 224 | $host.ui.RawUI.ForegroundColor = "Green" 225 | Write-Output "DMARC: $DMARCString" 226 | $host.ui.RawUI.ForegroundColor = $DefaultColor 227 | } Catch { 228 | $ErrorMessage = "DMARC: "+$_.Exception.Message 229 | Show-ErrorMessage($ErrorMessage) 230 | } 231 | } 232 | 233 | Function Get-DKIM { 234 | Param($CheckDomain) 235 | 236 | # Check DKIM record 237 | Try { 238 | $DKIMDomain = "_domainkey."+$CheckDomain 239 | $DKIMResult = Resolve-DnsName -Server $DNSServer -Name $DKIMDomain -DnsOnly -ErrorAction Stop 240 | 241 | $DefaultColor = $host.ui.RawUI.ForegroundColor 242 | $host.ui.RawUI.ForegroundColor = "Yellow" 243 | Write-Output "$DKIMDomain exists and may contain DKIM selectors" 244 | $host.ui.RawUI.ForegroundColor = $DefaultColor 245 | 246 | } Catch { 247 | $ErrorMessage = "DKIM Record: "+ $_.Exception.Message 248 | Show-ErrorMessage($ErrorMessage) 249 | } 250 | 251 | } 252 | 253 | Function Get-KnownDKIMSelectors { 254 | Param($CheckDomain) 255 | 256 | # Check-KnownDKIMSelectors 257 | Try { 258 | $DKIMDomainSelector = "selector1._domainkey."+$CheckDomain 259 | $Temp = Resolve-DnsName -Server $DNSServer -Name $DKIMDomainSelector -DnsOnly -ErrorAction Stop 260 | 261 | $DefaultColor = $host.ui.RawUI.ForegroundColor 262 | $host.ui.RawUI.ForegroundColor = "Yellow" 263 | Write-Output " Office 365 $DKIMDomainSelector exists" 264 | $host.ui.RawUI.ForegroundColor = $DefaultColor 265 | } Catch { 266 | Write-Output " No Office 365 Selector1 present" 267 | } 268 | Try { 269 | $DKIMDomainSelector = "selector2._domainkey."+$CheckDomain 270 | $Temp = Resolve-DnsName -Server $DNSServer -Name $DKIMDomainSelector -DnsOnly -ErrorAction Stop 271 | 272 | $DefaultColor = $host.ui.RawUI.ForegroundColor 273 | $host.ui.RawUI.ForegroundColor = "Yellow" 274 | Write-Output " Office 365 $DKIMDomainSelector exists" 275 | $host.ui.RawUI.ForegroundColor = $DefaultColor 276 | } Catch { 277 | Write-Output " No Office 365 Selector2 present" 278 | } 279 | 280 | Try { 281 | $DKIMDomainSelector = "k1._domainkey."+$CheckDomain 282 | $Temp = Resolve-DnsName -Server $DNSServer -Name $DKIMDomainSelector -DnsOnly -ErrorAction Stop 283 | 284 | $DefaultColor = $host.ui.RawUI.ForegroundColor 285 | $host.ui.RawUI.ForegroundColor = "Yellow" 286 | Write-Output " Mailchimp $DKIMDomainSelector exists" 287 | $host.ui.RawUI.ForegroundColor = $DefaultColor 288 | } Catch { 289 | Write-Output " No Mailchimp K1 selector present" 290 | } 291 | If ($Selector -ne ""){ 292 | Try { 293 | $DKIMDomainSelector = $Selector+"._domainkey."+$CheckDomain 294 | $Temp = Resolve-DnsName -Server $DNSServer -Name $DKIMDomainSelector -DnsOnly -ErrorAction Stop 295 | 296 | $DefaultColor = $host.ui.RawUI.ForegroundColor 297 | $host.ui.RawUI.ForegroundColor = "Yellow" 298 | Write-Output " Custom selector $DKIMDomainSelector exists" 299 | $host.ui.RawUI.ForegroundColor = $DefaultColor 300 | } Catch { 301 | Write-Output " No custom selector $DKIMDomainSelector present" 302 | } 303 | } 304 | } 305 | 306 | Function Get-MtaSts { 307 | Param($CheckDomain) 308 | 309 | # Check-MTA-STS 310 | Try { 311 | $MTASTSDomain = "_mta-sts."+$CheckDomain 312 | $MTASTSRecord = Resolve-DnsName -Server $DNSServer -Type TXT -Name $MTASTSDomain -Dnsonly -ErrorAction Stop 313 | $MTASTSString = $MTASTSRecord.Strings 314 | 315 | $DefaultColor = $host.ui.RawUI.ForegroundColor 316 | $host.ui.RawUI.ForegroundColor = "Green" 317 | Write-Output "MTA-STS: $MTASTSString" 318 | $host.ui.RawUI.ForegroundColor = $DefaultColor 319 | } Catch { 320 | $ErrorMessage = "MTA-STS Record: "+$_.Exception.Message 321 | Show-ErrorMessage($ErrorMessage) 322 | } 323 | 324 | # Get mta-sts.txt if it exists 325 | If ($null -ne $MTASTSRecord){ 326 | $MTASTSDomainFileURL = "https://mta-sts."+$CheckDomain+"/.well-known/mta-sts.txt" 327 | 328 | Try { 329 | $MTASTSDomainFile = Invoke-WebRequest -UseBasicParsing -Uri $MTASTSDomainFileURL 330 | $MTASTSPolicy = $MTASTSDomainFile.Content 331 | 332 | $DefaultColor = $host.ui.RawUI.ForegroundColor 333 | $host.ui.RawUI.ForegroundColor = "Green" 334 | Write-Output "MTA-STS Policy: " 335 | $host.ui.RawUI.ForegroundColor = "Cyan" 336 | Write-Output $MTASTSPolicy 337 | $host.ui.RawUI.ForegroundColor = $DefaultColor 338 | } Catch { 339 | $ErrorMessage = "MTA-STS Policy: "+$_.Exception.Message 340 | Show-ErrorMessage($ErrorMessage) 341 | } 342 | 343 | } 344 | } 345 | 346 | 347 | function Show-ErrorMessage { 348 | Param($ErrorMessage) 349 | 350 | $DefaultColor = $host.ui.RawUI.ForegroundColor 351 | $host.ui.RawUI.ForegroundColor = "Red" 352 | Write-Output $ErrorMessage 353 | $host.ui.RawUI.ForegroundColor = $DefaultColor 354 | 355 | } 356 | Function Get-TlsRpt { 357 | Param($CheckDomain) 358 | 359 | # Check TLS-RPT 360 | Try { 361 | $TLSRPTDomain = "_smtp._tls."+$CheckDomain 362 | $TLSRPTRecord = Resolve-DnsName -Server $DNSServer -Type TXT -Name $TLSRPTDomain -Dnsonly -ErrorAction Stop 363 | $TLSRPTString = $TLSRPTRecord.Strings 364 | 365 | $DefaultColor = $host.ui.RawUI.ForegroundColor 366 | $host.ui.RawUI.ForegroundColor = "Green" 367 | Write-Output "TLS-RPT: $TLSRPTString" 368 | $host.ui.RawUI.ForegroundColor = $DefaultColor 369 | } Catch { 370 | $ErrorMessage = "TLS-RPT: "+$_.Exception.Message 371 | Show-ErrorMessage($ErrorMessage) 372 | } 373 | } 374 | 375 | Function Get-BIMI { 376 | Param($CheckDomain) 377 | 378 | Try { 379 | $BIMIDomain = "default._bimi."+$CheckDomain 380 | $BIMIRecord = Resolve-DnsName -Server $DNSServer -Type TXT -Name $BIMIDomain -DnsOnly -ErrorAction Stop 381 | $BIMIString = $BIMIRecord.Strings 382 | $DefaultColor = $host.ui.RawUI.ForegroundColor 383 | $host.ui.RawUI.ForegroundColor = "Blue" 384 | Write-Output "BIMI: $BIMIString" 385 | $host.ui.RawUI.ForegroundColor = $DefaultColor 386 | } Catch { 387 | $ErrorMessage = "BIMI: "+$_.Exception.Message 388 | Show-ErrorMessage($ErrorMessage) 389 | } 390 | } 391 | 392 | ForEach ($AcceptedDomain in $AcceptedDomains) { 393 | 394 | # DomainOption 2 is the only single domain from cmdline, which has no header. So this is a workaround. 395 | If ($DomainOption -ne 2){ 396 | $AcceptedDomain = $AcceptedDomain.DomainName 397 | } 398 | 399 | Write-Output "" 400 | Write-Output "===============" 401 | Write-Output "Checking domain $AcceptedDomain" 402 | Write-Output "===============" 403 | Get-MX -CheckDomain $AcceptedDomain 404 | Get-SPF -CheckDomain $AcceptedDomain 405 | Get-DMARC -CheckDomain $AcceptedDomain 406 | Get-DKIM -CheckDomain $AcceptedDomain 407 | Get-KnownDKIMSelectors -CheckDomain $AcceptedDomain 408 | Get-MtaSts -CheckDomain $AcceptedDomain 409 | Get-TlsRpt -CheckDomain $AcceptedDomain 410 | Get-BIMI -CheckDomain $AcceptedDomain 411 | } 412 | 413 | 414 | # End Transcript 415 | If ($TranscriptOn -eq $True) { 416 | Stop-Transcript 417 | } -------------------------------------------------------------------------------- /dkimlist.txt: -------------------------------------------------------------------------------- 1 | selectorname, owner 2 | selector1, Microsoft Exchange Online 3 | selector2, Microsoft Exchange Online 4 | k1, MailChimp 5 | 6 | 7 | --------------------------------------------------------------------------------