The Domain Security Scanner can be used to perform scans against domains for DKIM, DMARC, and SPF DNS records. You can also serve this functionality via an API, or a dedicated mailbox. A web application is also available if organizations would like to perform a single domain scan for DKIM, DMARC or SPF at https://dmarcguide.globalcyberalliance.org.
You can download pre-compiled binaries for macOS, Linux and Windows from the releases page.
Alternatively, you can run the binary from within our pre-built Docker image:
docker run ghcr.io/globalcyberalliance/domain-security-scanner:latest
To build this application, you'll need Go installed.
git clone https://github.com/globalcyberalliance/domain-security-scanner.git
cd domain-security-scanner
make
This will output a binary called dss
. You can then move it or use it by running ./bin/dss
(on Unix devices).
To scan a domain for a specific type of record (A, AAAA, CNAME, DKIM, DMARC, MX, SPF, TXT), run:
dss scan [domain] --type dmarc
Example:
dss scan globalcyberalliance.org --dkimSelector gca
Note: You may not receive your DKIM record unless you specify the dkimSelector
flag.
Scan any number of domains' DNS records. By default, this listens on STDIN
, meaning you run the command via dss scan
and then enter each domain one-by-one.
Alternatively, you can specify multiple domains at runtime:
dss scan globalcyberalliance.org github.com google.com
Or you can provide RFC 1035 zone files by piping with the -z
flag enabled:
dss scan -z < /path/to/zonefile
See the zonefile.example file in this repo.
You can also expose the domain scanning functionality via a REST API. By default, this is rate limited to 3 requests per 3 second interval from a single IP address. Serve the API by running the following:
dss serve api --port 80
You can reach the API docs by visiting http://server-ip:port/api/v1/docs
and the OpenAPI schema
at http://server-ip:port/api/v1/docs.json
or http://server-ip:port/api/v1/docs.yaml
. You can also test requests
through this interface thanks to Scalar.
You can then get a single domain's results by submitting a GET request like
this http://server-ip:port/api/v1/scan/globalcyberalliance.org
, which will return a JSON response similar to this:
{
"$schema": "http://server-ip:port/schemas/ScanSingleDomainResponseBody.json",
"scanResult": {
"domain": "globalcyberalliance.org",
"bimi": "v=BIMI1;l=https://bimi.entrust.net/globalcyberalliance.org/logo.svg;a=https://bimi.entrust.net/globalcyberalliance.org/certchain.pem",
"dkim": "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ/J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8NaWi69c1veUtRzGt7yAioXqLj7Z4TeEUoOLgrKsn8YnckGs9i3B3tVFB+Ch/4mPhXWiNfNdynHWBcPcbJ8kjEQ2U8y78dHZj1YeRXXVvWob2OaKynO8/lQIDAQAB;",
"dmarc": "v=DMARC1; p=reject; fo=1; rua=mailto:[email protected],mailto:[email protected],mailto:[email protected]; ruf=mailto:[email protected],mailto:[email protected];",
"mx": [
"aspmx.l.google.com.",
"alt1.aspmx.l.google.com.",
"alt2.aspmx.l.google.com.",
"alt3.aspmx.l.google.com.",
"alt4.aspmx.l.google.com."
],
"spf": "v=spf1 include:_u.globalcyberalliance.org._spf.smart.ondmarc.com -all",
},
"advice": {
"bimi": [
"Your SVG logo could not be downloaded.",
"Your VMC certificate could not be downloaded."
],
"dkim": [
"DKIM is setup for this email server. However, if you have other 3rd party systems, please send a test email to confirm DKIM is setup properly."
],
"dmarc": [
"You are at the highest level! Please make sure to continue reviewing the reports and make the appropriate adjustments, if needed."
],
"domain": [
"Your domain is using TLS 1.3, no further action needed!"
],
"mx": [
"All of your domains are using TLS 1.3, no further action needed!"
],
"spf": [
"SPF seems to be setup correctly! No further action needed."
]
}
}
Alternatively, you can scan multiple domains by POSTing them to http://server-ip:port/api/v1/scan
with a request body
like this:
{
"domains": [
"gcatoolkit.org",
"globalcyberalliance.org"
]
}
Which will return a JSON response like this:
{
"$schema": "http://server-ip:port/schemas/ScanMultipleDomainsResponseBody.json",
"results": [
{
"scanResult": {
"domain": "globalcyberalliance.org",
"bimi": "v=BIMI1;l=https://bimi.entrust.net/globalcyberalliance.org/logo.svg;a=https://bimi.entrust.net/globalcyberalliance.org/certchain.pem",
"dkim": "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ/J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8NaWi69c1veUtRzGt7yAioXqLj7Z4TeEUoOLgrKsn8YnckGs9i3B3tVFB+Ch/4mPhXWiNfNdynHWBcPcbJ8kjEQ2U8y78dHZj1YeRXXVvWob2OaKynO8/lQIDAQAB;",
"dmarc": "v=DMARC1; p=reject; fo=1; rua=mailto:[email protected],mailto:[email protected],mailto:[email protected]; ruf=mailto:[email protected],mailto:[email protected];",
"spf": "v=spf1 include:_u.globalcyberalliance.org._spf.smart.ondmarc.com -all",
"mx": [
"aspmx.l.google.com.",
"alt1.aspmx.l.google.com.",
"alt2.aspmx.l.google.com.",
"alt3.aspmx.l.google.com.",
"alt4.aspmx.l.google.com."
]
},
"advice": {
"bimi": [
"Your SVG logo could not be downloaded.",
"Your VMC certificate could not be downloaded."
],
"dkim": [
"DKIM is setup for this email server. However, if you have other 3rd party systems, please send a test email to confirm DKIM is setup properly."
],
"dmarc": [
"You are at the highest level! Please make sure to continue reviewing the reports and make the appropriate adjustments, if needed."
],
"domain": [
"Your domain is using TLS 1.3, no further action needed!"
],
"mx": [
"All of your domains are using TLS 1.3, no further action needed!"
],
"spf": [
"SPF seems to be setup correctly! No further action needed."
]
}
},
{
"scanResult": {
"domain": "gcatoolkit.org",
"dmarc": "v=DMARC1; p=reject;",
"mx": [
"mx01.1and1.com.",
"mx00.1and1.com."
],
"spf": "v=spf1 -all"
},
"advice": {
"bimi": [
"We couldn't detect any active BIMI record for your domain. Please visit https://dmarcguide.globalcyberalliance.org to fix this."
],
"dkim": [
"We couldn't detect any active DKIM record for your domain. Please visit https://dmarcguide.globalcyberalliance.org to fix this."
],
"dmarc": [
"You are at the highest level! However, we do recommend keeping reports enabled (via the rua tag) in case any issues may arise and you can review reports to see if DMARC is the cause."
],
"domain": [
"Your domain is using TLS 1.3, no further action needed!"
],
"mx": [
"mx01.1and1.com: Failed to reach domain",
"mx00.1and1.com: Failed to reach domain"
],
"spf": [
"SPF seems to be setup correctly! No further action needed."
]
}
}
]
}
You can also serve scan results via a dedicated mailbox. It is advised that you use this mailbox for this sole purpose, as all emails will be deleted at each 10 second interval.
dss serve mail --inboundHost "imap.gmail.com:993" --inboundPass "SomePassword" --inboundUser "[email protected]" --outboundHost "smtp.gmail.com:587" --outboundPass "SomePassword" --outboundUser "[email protected]" --advise
You can then email this inbox from any address, and you'll receive an email back with your scan results.
Flag | Short | Description |
---|---|---|
--advise |
-a |
Provide suggestions for incorrect/missing mail security features |
--cache |
Specify how long to cache results for (default 3m) | |
--checkTLS |
Check the TLS connectivity and cert validity of domains | |
--concurrent |
-c |
The number of domains to scan concurrently (defaults to your number of CPU threads) |
--debug |
-d |
Print debug logs |
--dkimSelector |
Specify a comma seperated list of DKIM selectors (default "") | |
--dnsBuffer |
Specify the allocated buffer for DNS responses (default 4096) | |
--dnsProtocol |
Protocol to use for DNS queries (udp, tcp, tcp-tls) (default udp) | |
--format |
-f |
Format to print results in (yaml, json, csv) (default "yaml") |
--nameservers |
-n |
Use specific nameservers, in host[:port] format; may be specified multiple times |
--outputFile |
-o |
Output the results to a specified file (creates a file with the current unix timestamp if no file is specified) |
--prettyLog |
Pretty print logs to console (default true) | |
--timeout |
-t |
Timeout duration for a DNS query (default 15s) |
--zoneFile |
-z |
Input file/pipe containing an RFC 1035 zone file |
This repository is licensed under the Apache License version 2.0.
Some of the project's dependencies may be under different licenses.