SPF records can contain Include= and Redirect= tags that refer to other DNS names & records. Would be nice to resolve those as well. There is a danger for endless recursion though when SPF records refers to itself in the end.

Issues such as DNS availability/checks: if internal how can you check for external DNS records? Split DNS thing. Does a technical check work, or is this a readme thing?

Hi - I downloaded the script this AM (by copy and paste from the RAW page). Got an error w/ just the DNS name. Deets below (can I say deets these days, is that what the kewel kidz are doing...?)

This worked - meaning I got results.
PS C:\PowerShell> .\getantispoof.ps1 something.com -DNSserver 208.67.222.222

In my case, I have VMware Pro installed, and 3 NIC's, so maybe this is a matter of how the code pulls the DNS servers for the "Ethernet" adapter... These lines work to get me my "default DNS servers".

$dneservers = Get-DnsClientServerAddress -InterfaceAlias "Ethernet" -AddressFamily IPv4

$dneservers | ForEach-Object {$_.ServerAddresses }
208.67.222.222
208.67.220.220

When I try " PS C:\PowerShell> .\getantispoof.ps1 something.com "
This did not - meaning I got the errors below - I used a real domain like ibm.com.

Error with DNS server, using default. internet.nl : This operation returned because the timeout period expired
Get-AcceptedDomain : The term 'Get-AcceptedDomain' is not recognized as the name of a cmdlet, function, script file,
or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
try again.
At C:\PowerShell\getantispoof.ps1:131 char:24

• $AcceptedDomains = Get-AcceptedDomain
  

•                    ~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : ObjectNotFound: (Get-AcceptedDomain:String) [], CommandNotFoundException
  • FullyQualifiedErrorId : CommandNotFoundException

https://techcommunity.microsoft.com/t5/exchange-team-blog/introducing-mta-sts-for-exchange-online/ba-p/3106386

Check two DNS records:
MTA-STS support declaration
MTA-STS Report record

Check policy file:
HTTPS URL on mail domain: mta-sts..
Check certificate on validity

Might have to check usage of name and identity, could differ resulting in mismatching in domains.
Also; working for on-prem and online?

https://techcommunity.microsoft.com/t5/exchange-team-blog/releasing-outbound-smtp-dane-with-dnssec/ba-p/3100920

Now the findings are outputed to screen, would be nice to have a report file. Especially handy if you have multiple domains.

Checking multiple domains from CSV file. Alternative to the Get-AcceptedDomain approach. Independent of being logged into an Exchange environment.

Export report would complement this greatly (so that has priority over this, I guess)

Make it explicit when no SPF record has been found. Is sometimes seen on non-primary domains.

Perhaps add online check of a file with all known DKIM selectors from SaaS services like Mailchimp.

Currently the script uses Windows PowerShell and is heavily reliant on Resolve-DnsName. That latter cmdlet is not natively present on PowerShell Core, while there is https://github.com/rmbolger/DnsClient-PS?tab=readme-ov-file

Have to read into ARC further if it would make sense to check for it. (which DNS records? etc.).

Would be nice addition to add support for BIMI DNS records. https://bimigroup.org/implementation-guide/

Currently doing a lot of the same code per mail protocol, should be a function.

Some domains let every FQDN resolve to their website or an IP, which is understandable. However, the script makes assumptions that when there is a response to for instance _mta-sts.domain.tld that it probably has a value.
Currently it just shows the response which is $null (or ""). More explicit notification is probably better.

DNS server check does not work optimally, also default usage of 8.8.8.8 is a thing