MX Lookup Tool - Check your DNS MX Records online - MxToolbox
| Pattern | Meaning | Risk |
|---|
| SPF pass + DKIM pass + DMARC pass | Legitimate mail likely | Low ✅ |
| SPF softfail + DKIM none + DMARC fail | Likely phishing | High 🚨 |
| SPF fail + DKIM fail + DMARC fail | Strong spoof | Critical 🔥 |
| SPF pass + DMARC fail | Alignment issue / spoof attempt | Medium–High |
Headers
| Header / Mechanism | Purpose | Pass Means | Fail Means | Common Values | DFIR Meaning |
|---|
| Sender Policy Framework SPF | Verifies sender IP is allowed by sender domain DNS | Sending server authorized | Sending server unauthorized | pass, fail, softfail, neutral, none | Detect spoofed sender infrastructure |
| DomainKeys Identified Mail DKIM | Verifies cryptographic signature of message | Signature valid, content unchanged | Signature invalid / altered | pass, fail, none | Detect tampering or fake sender signing |
| Domain-based Message Authentication, Reporting and Conformance DMARC | Checks SPF/DKIM alignment with visible sender | Sender identity aligned | Sender spoof likely | pass, fail | Strong spoofing indicator |
| Authenticated Received Chain ARC | Preserves auth trust across forwarding | Forwarded auth chain trusted | Forwarding trust broken | pass, fail, none | Useful when forwarding breaks SPF |
| Authentication-Results | Summary verdict from receiver | Full auth summary available | Failures visible immediately | combined results | Fastest forensic overview |
Carving B64 Attachments
$a1b64 = (Get-Content .\Attachment1.txt -Raw) -replace '\s',''
[IO.File]::WriteAllBytes("$(pwd)\payload1.bin",[Convert]::FromBase64String($a1b64))
SPF Result Matrix
| SPF Value | Meaning | Severity |
|---|
pass | Sender IP matches DNS SPF record | Low ✅ |
fail | Sender IP explicitly unauthorized | High 🚨 |
softfail | Suspicious but not strict reject | Medium ⚠️ |
neutral | Domain gives no strong verdict | Low / ambiguous |
none | No SPF record exists | Suspicious if business domain |
SoftFail vs HardFail Matrix
| SPF Policy | DNS Syntax | Meaning | Receiver Action |
|---|
| SoftFail | ~all | Suspicious but tolerated | Usually mark / spam |
| HardFail | -all | Strict reject required | Reject / quarantine |
DKIM Result Matrix
| DKIM Value | Meaning | DFIR Interpretation |
|---|
pass | Signature valid | Mail likely intact |
fail | Signature broken | Modified mail / spoofing |
none | No signature | Weak sender hygiene or suspicious |
DMARC Policy Matrix
| Policy | DNS Value | Meaning | Action |
|---|
| Monitor | p=none | Only report failures | No blocking |
| Quarantine | p=quarantine | Suspicious mail to spam | Medium protection |
| Reject | p=reject | Reject suspicious mail | Strong protection |
