What You'll Learn
- Query SPF, DKIM, and DMARC DNS records using MXToolbox lookup tools
- Interpret SPF mechanisms (include, ip4, -all, ~all) and understand their security implications
- Validate DKIM public key records and understand the signing/verification process
- Analyze DMARC policies (p=none, p=quarantine, p=reject) and alignment requirements
- Evaluate real-world email authentication scenarios to determine pass/fail outcomes
Lab Overview
| Detail | Value |
|---|---|
| Lab Type | Browser-Only |
| Tools Required | MXToolbox, Browser |
| Estimated Time | 40–50 minutes |
| Difficulty | Beginner |
| Pre-Requisites | Lab PH.1 — Email Header Dissection |
| Deliverable | Authentication record analysis for 3 domains + 5 scenario evaluations |
Beyond the Header Results. In Lab PH.1, you read SPF/DKIM/DMARC results from email headers. Now you're going to the source — querying the DNS records themselves. Understanding what these records say (and what's missing) lets you predict authentication outcomes before you even see an email, and identify domains that are vulnerable to spoofing.
The Scenario
Your organization's security team is updating its email security posture. Before recommending changes, you've been asked to audit the email authentication records of three domains: your own company domain, a trusted vendor, and a domain that recently appeared in a phishing campaign. By comparing the three, you'll understand the spectrum from well-protected to dangerously exposed.
Part 1: SPF Record Deep-Dive
SPF (Sender Policy Framework) is a DNS TXT record that lists which IP addresses and mail servers are authorized to send email on behalf of a domain.
SPF Syntax Reference
| Mechanism | Meaning | Example |
|---|---|---|
ip4: | Authorize a specific IPv4 address or range | ip4:203.0.113.50 |
include: | Authorize another domain's SPF record | include:_spf.google.com |
a | Authorize the domain's A record IP | a |
mx | Authorize the domain's MX record IPs | mx |
-all | Hard fail — reject unauthorized senders | -all |
~all | Soft fail — mark but don't reject | ~all |
?all | Neutral — no policy assertion | ?all |
Exercise: Query Three SPF Records
Navigate to MXToolbox SPF Lookup and query each domain:
Domain 1: google.com
Record: v=spf1 include:_spf.google.com ~all
Document:
- How many
include:mechanisms are present? - What is the qualifier on the
allmechanism? - Follow the include chain — how many total IPs are authorized?
Domain 2: microsoft.com
Record: v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.msft.net ip4:147.243.128.24 ip4:147.243.128.26 ip4:147.243.1.153 ip4:147.243.1.47 -all
Document:
- How many include mechanisms vs direct IP mechanisms?
- What does
-all(hard fail) mean compared to Google's~all(soft fail)? - Which domain has a stricter SPF policy?
Domain 3: example-phishing-domain.com (simulated)
For this exercise, imagine querying a domain that returns:
Record: v=spf1 +all
Document:
- What does
+allmean? - Why is this the most dangerous SPF record possible?
- Would any IP address on the internet pass SPF for this domain?
The +all Danger. An SPF record with +all means "every IP in the world is authorized to send email for this domain." This is either a misconfiguration or an intentionally disposable phishing domain. Either way, SPF provides zero protection. You'll see this in attacker-registered domains.
Part 2: DKIM Record Analysis
DKIM (DomainKeys Identified Mail) uses public-key cryptography. The sending server signs outgoing emails with a private key, and the public key is published in DNS for receivers to verify.
DKIM Record Structure
DKIM records are TXT records at [selector]._domainkey.[domain]. The selector is specified in the email's DKIM-Signature header.
Navigate to MXToolbox DKIM Lookup and query:
Domain: google.com, Selector: 20230601
Expected fields:
v=DKIM1
k=rsa
p=[base64-encoded public key]
Document:
- What key type does Google use? (RSA, Ed25519, etc.)
- Is the key length 1024-bit or 2048-bit? (Longer keys are more secure)
- What happens if you query a wrong selector (e.g., "test123")?
What Happens Without DKIM
If a domain has no DKIM record:
- Emails from that domain cannot be cryptographically verified
- Any server can claim to be sending on behalf of the domain
- DMARC alignment on DKIM will always fail
- The receiving server can only rely on SPF and IP reputation
Part 3: DMARC Policy Analysis
DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together with a policy that tells receivers what to do with failing messages.
DMARC Tag Reference
| Tag | Meaning | Example |
|---|---|---|
v= | Version (always DMARC1) | v=DMARC1 |
p= | Policy for the domain | p=reject |
sp= | Policy for subdomains | sp=quarantine |
rua= | Aggregate report recipient | rua=mailto:dmarc@company.com |
ruf= | Forensic report recipient | ruf=mailto:forensics@company.com |
pct= | Percentage of messages to apply policy to | pct=100 |
adkim= | DKIM alignment mode (strict/relaxed) | adkim=s |
aspf= | SPF alignment mode (strict/relaxed) | aspf=r |
Exercise: Query Three DMARC Records
Navigate to MXToolbox DMARC Lookup:
Domain 1: google.com
v=DMARC1; p=reject; sp=reject; rua=mailto:mailauth-reports@google.com
Domain 2: A domain with p=none
v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com
Domain 3: A domain with no DMARC record
No DMARC record found
For each, answer:
- What happens to a spoofed email that fails authentication?
- Is the domain collecting reports?
- Would an attacker choose to spoof this domain? Why or why not?
DMARC Progression Path. Organizations typically deploy DMARC in stages: p=none (monitor) → p=quarantine (spam folder) → p=reject (block). Moving to p=reject without first monitoring will break legitimate email flows. If you see p=none, the organization is either just starting DMARC deployment or has stalled in the monitor phase.
Part 4: Authentication Scenario Evaluation
For each scenario below, determine the SPF, DKIM, and DMARC result. Write PASS, FAIL, or NONE for each.
Scenario 1: Legitimate Marketing Email
- Sent from:
marketing@company.comvia SendGrid (include:sendgrid.netis in SPF) - DKIM signed with
company.comselector - DMARC policy:
p=quarantine
| Check | Result | Reasoning |
|---|---|---|
| SPF | _______ | _______ |
| DKIM | _______ | _______ |
| DMARC | _______ | _______ |
Scenario 2: Spoofed Email from Attacker Server
- From header:
ceo@company.com - Sent from IP:
185.220.101.42(not in SPF record) - No DKIM signature
- DMARC policy:
p=reject
| Check | Result | Reasoning |
|---|---|---|
| SPF | _______ | _______ |
| DKIM | _______ | _______ |
| DMARC | _______ | _______ |
| Delivery outcome: | _______ | _______ |
Scenario 3: Forwarded Legitimate Email
- Originally from:
partner@vendor.com(SPF includes their mail server) - Forwarded by:
employee@company.commail server (different IP, breaks SPF) - DKIM signature intact (signatures survive forwarding)
- DMARC policy:
p=quarantine; adkim=r
| Check | Result | Reasoning |
|---|---|---|
| SPF | _______ | _______ |
| DKIM | _______ | _______ |
| DMARC | _______ | _______ |
Scenario 4: Subdomain Spoofing
- From header:
support@billing.company.com company.comDMARC:p=reject; sp=none- No SPF or DKIM for
billing.company.com
| Check | Result | Reasoning |
|---|---|---|
| SPF | _______ | _______ |
| DKIM | _______ | _______ |
| DMARC | _______ | _______ |
| Delivery outcome: | _______ | _______ |
Scenario 5: Cousin Domain Attack
- From header:
finance@cornpany.com(note: "rn" looks like "m") - Legitimate SPF for
cornpany.com(v=spf1 +all) - DKIM signed for
cornpany.com - DMARC:
p=none
| Check | Result | Reasoning |
|---|---|---|
| SPF | _______ | _______ |
| DKIM | _______ | _______ |
| DMARC | _______ | _______ |
| Why is this dangerous? | _______ | _______ |
Part 5: Compile Your Findings
Create an authentication audit report:
EMAIL AUTHENTICATION AUDIT REPORT
═══════════════════════════════════
Analyst: [Your Name]
Date: [Today's Date]
DOMAIN AUDIT SUMMARY
─────────────────────
Domain SPF Policy DKIM DMARC Policy Risk Level
google.com ~all Yes p=reject LOW
microsoft.com -all Yes p=reject LOW
[phishing domain] +all No p=none CRITICAL
SCENARIO EVALUATION SUMMARY
────────────────────────────
Scenario 1: [PASS/FAIL] — [one-line explanation]
Scenario 2: [PASS/FAIL] — [one-line explanation]
Scenario 3: [PASS/FAIL] — [one-line explanation]
Scenario 4: [PASS/FAIL] — [one-line explanation]
Scenario 5: [PASS/FAIL] — [one-line explanation]
KEY RECOMMENDATIONS
───────────────────
1. [Your recommendation for your organization]
2. [Your recommendation for vendor assessment]
3. [Your recommendation for phishing defense]
Deliverable Checklist
Before completing the lab, ensure you have:
- SPF Records Queried — All 3 domains analyzed with mechanism breakdown
- DKIM Record Verified — Google's DKIM key found and key type documented
- DMARC Records Compared — 3 domains with policy implications documented
- 5 Scenarios Evaluated — SPF/DKIM/DMARC results for each with reasoning
- Audit Report Complete — Risk levels assigned and recommendations written
Key Takeaways
- SPF records define which IPs can send for a domain —
-all(hard fail) is more secure than~all(soft fail), and+allprovides zero protection - DKIM uses public-key cryptography to verify email integrity — without it, messages cannot be authenticated beyond IP checks
- DMARC ties SPF and DKIM together with an enforcement policy —
p=rejectis the gold standard - Subdomain policies (
sp=) are often overlooked, creating spoofing gaps even on well-protected domains - Cousin domain attacks bypass all authentication because the attacker controls a look-alike domain with valid records
What's Next
In Lab PH.3 — Classify the Phish, you'll apply your header analysis and authentication knowledge to classify five realistic email scenarios. You'll determine whether each is spam, phishing, spear phishing, BEC, or legitimate — building the classification skills that SOC analysts use daily in triage.
Lab Challenge: Email Authentication Check
10 questions · 70% to pass
What is the critical difference between '-all' and '~all' in an SPF record?
An SPF record contains 'v=spf1 +all'. What does this mean for email security?
You query a domain's DKIM record at selector._domainkey.example.com and get 'NXDOMAIN'. What does this mean?
A domain has DMARC policy 'p=reject; sp=none'. An attacker sends a spoofed email from billing.example.com (a subdomain). What happens?
In Scenario 3 (forwarded email), SPF fails but DKIM passes. What is the DMARC result?
Why is a 'cousin domain' attack (e.g., cornpany.com vs company.com) particularly dangerous even when all authentication is properly configured?
What does the 'pct' tag in a DMARC record control, and why would an organization set it to less than 100?
You discover that a vendor domain has SPF with '~all', no DKIM, and DMARC 'p=none'. What risk does this pose to your organization?
In Scenario 2, a spoofed email from an attacker hits a domain with DMARC p=reject. What is the expected delivery outcome?
Your audit reveals that your organization uses DMARC p=none with rua reports. What should you recommend as the next step?
0/10 answered