Skip to content

Test Cases

tparrott-cse edited this page Jan 13, 2020 · 1 revision

Test cases

Uses 'domain.test' DNS zone for test cases and for verifying potential RFC violations and tailored advice/guidance tests execute correctly.

Format: tX.sY.records.domain.test -- Test X, Phase Y

Stage 1 - Assess - s1.records.domain.test

Record name Value Purpose of test Guidance
t1.s1.records.domain.test invalid Missing SPF TBD
selector1._domainkey.t1.s1.records.domain.test invalid Missing DKIM TBD
_dmarc.t1.s1.records.domain.test invalid Missing DMARC TBD

Stage 2 - Deploy - s2.records.domain.test

Record name Value Purpose of test Guidance
t1.s2.records.domain.test v=spf1 mx ~all Soft-fail Add legitimate mail sources to SPF
selector1.t1.s2.records.domain.test not-defined Missing DKIM Add DKIM selector
_dmarc.t1.s2.records.domain.test v=DMARC1; p=none; rua=mailto:[email protected] Monitor, 1st party RUA, No RUF/SP/PCT Document SPF/DKIM sources. Consider Quarantine 25% when all sources of legitimate mailflow is Fully Compliant

Stage 3 - Enforce - s3.records.domain.test

Notes

  • Same DKIM key defined for every test. DKIM keys are all one-line but displayed across multiple lines for improved display
Record name Value Purpose of test Guidance
selector1._domainkey.t#.s2.records.domain.test v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYBExmcB+1SpQ+lQYtPXQiYeyT gjyEooD4NgGapxcMXcQens15Dr4yJvm0VfB7f0ckZ0zqJ7FWTo9uauTTjXt581s M07O5G28Ih28Elwsqnf3V9orZAL9QMbkZ2GrswdhmCbR9d7WHF1y0LlFIZkuhQwH PmEDrrC0xWuy2es/vwIDAQAB 1024-bit RSA Upgrade DKIM key to 2048-bit RSA
_dmarc.t1.s3.records.domain.test v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected] Quarantine 25%, 1st party RUA, No RUF/SP/PCT Go to Quarantine 50%
_dmarc.t2.s3.records.domain.test v=DMARC1; p=quarantine; pct=50; rua=mailto:[email protected] Quarantine 50%, 1st party RUA, No RUF/SP/PCT Go to Quarantine 75%
_dmarc.t3.s3.records.domain.test v=DMARC1; p=quarantine; pct=75; rua=mailto:[email protected] Quarantine 75%, 1st party RUA, No RUF/SP/PCT Go to Quarantine 100%
_dmarc.t4.s3.records.domain.test v=DMARC1; p=quarantine; rua=mailto:[email protected] Quarantine 100%, 1st party RUA, No RUF/SP/PCT Go to Reject 25%
_dmarc.t5.s3.records.domain.test v=DMARC1; p=reject; pct=25; rua=mailto:[email protected] Reject 25%, 1st party RUA, No RUF/SP/PCT Go to Reject 50%
_dmarc.t6.s3.records.domain.test v=DMARC1; p=reject; pct=50; rua=mailto:[email protected] Reject 50%, 1st party RUA, No RUF/SP/PCT Go to Reject 75%
_dmarc.t7.s3.records.domain.test v=DMARC1; p=reject; pct=75; rua=mailto:[email protected] Reject 75%, 1st party RUA, No RUF/SP/PCT Go to Reject 100%/Progress to Stage 4

Stage 4 - Maintain - s4.records.domain.test

Record name Value Purpose of test Guidance
t1.s4.records.domain.test v=spf1 mx -all Hard-fail, no includes TBD
selector1._domainkey.t1.s4.domain.test v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxti98dyyS0JDQ8aKmX/0K2vaOeSpOAhD72Xokk3ZFu+ySkN8JPKbDrQQqu87n9m2XCh5nNGlDmYyEVlTVUTMu/BvbMQQu+/Rk3n+s79c60+avNiVK1JFVst/xpXfB+5gvn4qywG+emIH9XfaEwjuH3lxDVZArtjf0TMSwmnl1OxpH2KGuQP6PWlhj1BLC3/xLGVp/up7p1XzbBzLzLd6tNAEUU0304hBGK5mNYPg2ENmHHaWyOzx94px73MvD4z7FZ3E7wvotrd6pMnWUKIkoQLoVHSXvfmLUb7KerEJ2f83qQVuhTzVzJzCJAmOPAeZFjG05pmOTaKn+8CeZOXR8QIDAQAB 2048-bit RSA TBD
_dmarc.t1.s4.records.domain.test v=DMARC1; p=reject; rua=mailto:[email protected] Reject, 1st party RUA, No RUF/SP/PCT TBD

RFC checks

Uses '.domain.test' DNS subdomains for verifying potential RFC violations and tailored advice/guidance tests execute correctly.

Format: tX.proto.domain.test -- Test X, Protocol proto

SPF - RFC????

Record name Value Purpose of test Guidance
t1.spf.domain.test does not exist, TXT lookup should return null Missing SPF TBD
t2.spf.domain.test invalid SPF entries exist, but no SPF Add SPF
t3.spf.domain.test v=spf1mx~all Missing spaces TBD
t4.spf.domain.test v=spf1 include:_spf.google.com include:spf.protection.outlook.com include:servers.mcsv.net include:sendgrid.net include:salesforce.com ~all 10+ domain lookup Split SPF string or flatten
t5.spf.domain.test v=spf1 mx ˗all Extended-ASCII minus Use correct minus character
t6.spf.domain.test s=spf1 mx ~all Missing SPF version string TBD
t7.spf.domain.test v=spf1 mx ______ Missing default -- underlines not actually included Add default (suggested ~all)
t8.spf.domain.test v=spf1 mx all Default allow Use default (suggested ~all)
t9.spf.domain.test v=spf1 mx ?all Default neutral Use default (suggested ~all)
t10.spf.domain.test v=spf1 mx ~all Default soft-fail Migrate to hard-fail (-all) when all mail sources added
t11.spf.domain.test v=spf1 $mx ~all Invalid modifier ($) Only use RFC compliant modifiers
t12.spf.domain.test v=spf1 mx qqq ~all Invalid qualifier qqq Only use RFC compliant qualifiers

DKIM - RFC????

Record name Value Purpose of test Guidance
selector1._domainkey.t1.dkim.domain.test v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYBExmcB+1SpQ+lQYtPXQiYeyT gjyEooD4NgGapxcMXcQens15Dr4yJvm0VfB7f0ckZ0zqJ7FWTo9uauTTjXt581s M07O5G28Ih28Elwsqnf3V9orZAL9QMbkZ2GrswdhmCbR9d7WHF1y0LlFIZkuhQwH PmEDrrC0xWuy2es/vwIDAQAB 1024-bit RSA Upgrade DKIM key to 2048-bit RSA
selector1._domainkey.t2.dkim.domain.test v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxti98dyyS0JDQ8aKmX/0K2vaOeSpOAhD72Xokk3ZFu+ySkN8JPKbDrQQqu87n9m2XCh5nNGlDmYyEVlTVUTMu/BvbMQQu+/Rk3n+s79c60+avNiVK1JFVst/xpXfB+5gvn4qywG+emIH9XfaEwjuH3lxDVZArtjf0TMSwmnl1OxpH2KGuQP6PWlhj1BLC3/xLGVp/up7p1XzbBzLzLd6tNAEUU0304hBGK5mNYPg2ENmHHaWyOzx94px73MvD4z7FZ3E7wvotrd6pMnWUKIkoQLoVHSXvfmLUb7KerEJ2f83qQVuhTzVzJzCJAmOPAeZFjG05pmOTaKn+8CeZOXR8QIDAQAB 2048-bit RSA TBD
selector1._domainkey.t3.dkim.domain.test v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxti98dyyS0JDQ8aKmX/0K2vaOeSpOAhD72Xokk3ZFu+ySkN8JPKbDrQQqu87n9m2XCh5nNGlDmYyEVlTVUTMu/BvbMQQu+/Rk3n+s79c60+avNiVK1JFVst/xpXfB+5gvn4qywG+emIH9XfaEwlxDVZArtjf0TMSwmnl1OxpH2KGuQP6PWlhj1BLC3/xLGVp/up7p1XzbBzLzLd6tNAEUU0304hBGK5mNYPg2ENmHHaWyOzx94px73MvD4z7FZ3E7wvotrd6pMnWUKIkoQLoVHSXvfmLUb7KerEJ2f83qQVuhTzVzJzCJAmOPAeZFjG05pmOTaKn+8CeZOXR8QQAB Invalid public key TBD
selector1._domainkey.t4.dkim.domain.test v=DKIM1; k=rsa; p=??? 768-bit RSA TBD
selector1._domainkey.t5.dkim.domain.test v=DKIM1; k=rsa; t=y; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxti98dyyS0JDQ8aKmX/0K2vaOeSpOAhD72Xokk3ZFu+ySkN8JPKbDrQQqu87n9m2XCh5nNGlDmYyEVlTVUTMu/BvbMQQu+/Rk3n+s79c60+avNiVK1JFVst/xpXfB+5gvn4qywG+emIH9XfaEwjuH3lxDVZArtjf0TMSwmnl1OxpH2KGuQP6PWlhj1BLC3/xLGVp/up7p1XzbBzLzLd6tNAEUU0304hBGK5mNYPg2ENmHHaWyOzx94px73MvD4z7FZ3E7wvotrd6pMnWUKIkoQLoVHSXvfmLUb7KerEJ2f83qQVuhTzVzJzCJAmOPAeZFjG05pmOTaKn+8CeZOXR8QIDAQAB Contains testing tag TBD
selector1._domainkey.t6.dkim.domain.test v=DKIM1; k=rsa; a=invalid; h=invalid; t=invalid; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxti98dyyS0JDQ8aKmX/0K2vaOeSpOAhD72Xokk3ZFu+ySkN8JPKbDrQQqu87n9m2XCh5nNGlDmYyEVlTVUTMu/BvbMQQu+/Rk3n+s79c60+avNiVK1JFVst/xpXfB+5gvn4qywG+emIH9XfaEwjuH3lxDVZArtjf0TMSwmnl1OxpH2KGuQP6PWlhj1BLC3/xLGVp/up7p1XzbBzLzLd6tNAEUU0304hBGK5mNYPg2ENmHHaWyOzx94px73MvD4z7FZ3E7wvotrd6pMnWUKIkoQLoVHSXvfmLUb7KerEJ2f83qQVuhTzVzJzCJAmOPAeZFjG05pmOTaKn+8CeZOXR8QIDAQAB Invalid values TBD
selector1._domainkey.t7.dkim.domain.test v=DKIM1; k=rsa; invalid=y; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxti98dyyS0JDQ8aKmX/0K2vaOeSpOAhD72Xokk3ZFu+ySkN8JPKbDrQQqu87n9m2XCh5nNGlDmYyEVlTVUTMu/BvbMQQu+/Rk3n+s79c60+avNiVK1JFVst/xpXfB+5gvn4qywG+emIH9XfaEwjuH3lxDVZArtjf0TMSwmnl1OxpH2KGuQP6PWlhj1BLC3/xLGVp/up7p1XzbBzLzLd6tNAEUU0304hBGK5mNYPg2ENmHHaWyOzx94px73MvD4z7FZ3E7wvotrd6pMnWUKIkoQLoVHSXvfmLUb7KerEJ2f83qQVuhTzVzJzCJAmOPAeZFjG05pmOTaKn+8CeZOXR8QIDAQAB Invalid tag TBD

DKIM ECC - RFC

DMARC - RFC????

Each DMARC entry is meant for tX.dmarc.domain.test so they will be added in the expected _dmarc location.

Record name Value Purpose of test Guidance
_dmarc.t1.dmarc.domain.test does not exist, TXT lookup should return NXDOMAIN Missing DMARC Add initial DMARC
_dmarc.t2.dmarc.domain.test invalid Other entries exist, but no DMARC Add initial DMARC
_dmarc.t3.dmarc.domain.test v=DMARC1; p=other; rua=mailto:[email protected] Invalid policy TBD
_dmarc.t4.dmarc.domain.test v=DMARC1; p=none; rua=[email protected] Missing mailto: in RUA Add initial DMARC
_dmarc.t5.dmarc.domain.test v=DMARC1; p=none; ruf=[email protected] Missing mailto: in RUF TBD
_dmarc.t6.dmarc.domain.test v=DMARC1; p=none; sp=other; rua=mailto:[email protected] Invalid subdomain policy TBD
_dmarc.t7.dmarc.domain.test v=DMARC1; p=none; pct=other; rua=mailto:[email protected] Invalid pct TBD
_dmarc.t8.dmarc.domain.test v=DMARC1; p=none; pct=-3; rua=mailto:[email protected] Invalid pct TBD
_dmarc.t9.dmarc.domain.test v=DMARC1; p=none; pct=4.5; rua=mailto:[email protected] Invalid pct TBD
_dmarc.t10.dmarc.domain.test v=DMARC1; p=none; pct=1000; rua=mailto:[email protected] Invalid pct TBD
_dmarc.t11.dmarc.domain.test v=DMARC1; p=none; rua=mailto:[email protected] Legal record but missing third-party verification lookup TBD
_dmarc.sub.t12.dmarc.domain.test does not exist, TXT lookup should return NXDOMAIN Lookup for 'sub.t12.dmarc.domain.test' which does not exist but it should find the organizational t12 record TBD
_dmarc.t12.dmarc.domain.test v=DMARC1; p=none; rua=mailto:[email protected] Lookup for 'sub.t12.dmarc.domain.test' which does not exist but it should find the organizational t12 record TBD
_dmarc.cname.t13.dmarc.domain.test CNAME to _dmarc.txt.t13.dmarc.domain.test Should follow CNAME to TXT TBD
_dmarc.txt.t13.dmarc.domain.test v=DMARC1; p=none; rua=mailto:[email protected] Should follow CNAME to TXT TBD
_dmarc.txt.t14.dmarc.domain.test v=DMARC1; p=none; pct=0; rua=mailto:[email protected] pct=0 invalid TBD
_dmarc.txt.t15.dmarc.domain.test v=DMARC1; p=none; pct=50; rua=mailto:[email protected] p=none should use pct100 or not include tag TBD