-
Notifications
You must be signed in to change notification settings - Fork 9
Test Cases
tparrott-cse edited this page Jan 13, 2020
·
1 revision
Test cases
Uses 'domain.test' DNS zone for test cases and for verifying potential RFC violations and tailored advice/guidance tests execute correctly.
Format: tX.sY.records.domain.test -- Test X, Phase Y
Stage 1 - Assess - s1.records.domain.test
| Record name | Value | Purpose of test | Guidance |
|---|---|---|---|
| t1.s1.records.domain.test | invalid | Missing SPF | TBD |
| selector1._domainkey.t1.s1.records.domain.test | invalid | Missing DKIM | TBD |
| _dmarc.t1.s1.records.domain.test | invalid | Missing DMARC | TBD |
Stage 2 - Deploy - s2.records.domain.test
| Record name | Value | Purpose of test | Guidance |
|---|---|---|---|
| t1.s2.records.domain.test | v=spf1 mx ~all | Soft-fail | Add legitimate mail sources to SPF |
| selector1.t1.s2.records.domain.test | not-defined | Missing DKIM | Add DKIM selector |
| _dmarc.t1.s2.records.domain.test | v=DMARC1; p=none; rua=mailto:dmarc@domain.test | Monitor, 1st party RUA, No RUF/SP/PCT | Document SPF/DKIM sources. Consider Quarantine 25% when all sources of legitimate mailflow is Fully Compliant |
Stage 3 - Enforce - s3.records.domain.test
Notes
- Same DKIM key defined for every test. DKIM keys are all one-line but displayed across multiple lines for improved display
| Record name | Value | Purpose of test | Guidance |
|---|---|---|---|
| selector1._domainkey.t#.s2.records.domain.test | v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYBExmcB+1SpQ+lQYtPXQiYeyT gjyEooD4NgGapxcMXcQens15Dr4yJvm0VfB7f0ckZ0zqJ7FWTo9uauTTjXt581s M07O5G28Ih28Elwsqnf3V9orZAL9QMbkZ2GrswdhmCbR9d7WHF1y0LlFIZkuhQwH PmEDrrC0xWuy2es/vwIDAQAB | 1024-bit RSA | Upgrade DKIM key to 2048-bit RSA |
| _dmarc.t1.s3.records.domain.test | v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@domain.test | Quarantine 25%, 1st party RUA, No RUF/SP/PCT | Go to Quarantine 50% |
| _dmarc.t2.s3.records.domain.test | v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@domain.test | Quarantine 50%, 1st party RUA, No RUF/SP/PCT | Go to Quarantine 75% |
| _dmarc.t3.s3.records.domain.test | v=DMARC1; p=quarantine; pct=75; rua=mailto:dmarc@domain.test | Quarantine 75%, 1st party RUA, No RUF/SP/PCT | Go to Quarantine 100% |
| _dmarc.t4.s3.records.domain.test | v=DMARC1; p=quarantine; rua=mailto:dmarc@domain.test | Quarantine 100%, 1st party RUA, No RUF/SP/PCT | Go to Reject 25% |
| _dmarc.t5.s3.records.domain.test | v=DMARC1; p=reject; pct=25; rua=mailto:dmarc@domain.test | Reject 25%, 1st party RUA, No RUF/SP/PCT | Go to Reject 50% |
| _dmarc.t6.s3.records.domain.test | v=DMARC1; p=reject; pct=50; rua=mailto:dmarc@domain.test | Reject 50%, 1st party RUA, No RUF/SP/PCT | Go to Reject 75% |
| _dmarc.t7.s3.records.domain.test | v=DMARC1; p=reject; pct=75; rua=mailto:dmarc@domain.test | Reject 75%, 1st party RUA, No RUF/SP/PCT | Go to Reject 100%/Progress to Stage 4 |
Stage 4 - Maintain - s4.records.domain.test
| Record name | Value | Purpose of test | Guidance |
|---|---|---|---|
| t1.s4.records.domain.test | v=spf1 mx -all | Hard-fail, no includes | TBD |
| selector1._domainkey.t1.s4.domain.test | v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxti98dyyS0JDQ8aKmX/0K2vaOeSpOAhD72Xokk3ZFu+ySkN8JPKbDrQQqu87n9m2XCh5nNGlDmYyEVlTVUTMu/BvbMQQu+/Rk3n+s79c60+avNiVK1JFVst/xpXfB+5gvn4qywG+emIH9XfaEwjuH3lxDVZArtjf0TMSwmnl1OxpH2KGuQP6PWlhj1BLC3/xLGVp/up7p1XzbBzLzLd6tNAEUU0304hBGK5mNYPg2ENmHHaWyOzx94px73MvD4z7FZ3E7wvotrd6pMnWUKIkoQLoVHSXvfmLUb7KerEJ2f83qQVuhTzVzJzCJAmOPAeZFjG05pmOTaKn+8CeZOXR8QIDAQAB | 2048-bit RSA | TBD |
| _dmarc.t1.s4.records.domain.test | v=DMARC1; p=reject; rua=mailto:dmarc@domain.test | Reject, 1st party RUA, No RUF/SP/PCT | TBD |
RFC checks
Uses '.domain.test' DNS subdomains for verifying potential RFC violations and tailored advice/guidance tests execute correctly.
Format: tX.proto.domain.test -- Test X, Protocol proto
SPF - RFC????
| Record name | Value | Purpose of test | Guidance |
|---|---|---|---|
| t1.spf.domain.test | does not exist, TXT lookup should return null | Missing SPF | TBD |
| t2.spf.domain.test | invalid | SPF entries exist, but no SPF | Add SPF |
| t3.spf.domain.test | v=spf1mx~all | Missing spaces | TBD |
| t4.spf.domain.test | v=spf1 include:_spf.google.com include:spf.protection.outlook.com include:servers.mcsv.net include:sendgrid.net include:salesforce.com ~all | 10+ domain lookup | Split SPF string or flatten |
| t5.spf.domain.test | v=spf1 mx ˗all | Extended-ASCII minus | Use correct minus character |
| t6.spf.domain.test | s=spf1 mx ~all | Missing SPF version string | TBD |
| t7.spf.domain.test | v=spf1 mx ______ | Missing default -- underlines not actually included | Add default (suggested ~all) |
| t8.spf.domain.test | v=spf1 mx all | Default allow | Use default (suggested ~all) |
| t9.spf.domain.test | v=spf1 mx ?all | Default neutral | Use default (suggested ~all) |
| t10.spf.domain.test | v=spf1 mx ~all | Default soft-fail | Migrate to hard-fail (-all) when all mail sources added |
| t11.spf.domain.test | v=spf1 $mx ~all | Invalid modifier ($) | Only use RFC compliant modifiers |
| t12.spf.domain.test | v=spf1 mx qqq ~all | Invalid qualifier qqq | Only use RFC compliant qualifiers |
DKIM - RFC????
| Record name | Value | Purpose of test | Guidance |
|---|---|---|---|
| selector1._domainkey.t1.dkim.domain.test | v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYBExmcB+1SpQ+lQYtPXQiYeyT gjyEooD4NgGapxcMXcQens15Dr4yJvm0VfB7f0ckZ0zqJ7FWTo9uauTTjXt581s M07O5G28Ih28Elwsqnf3V9orZAL9QMbkZ2GrswdhmCbR9d7WHF1y0LlFIZkuhQwH PmEDrrC0xWuy2es/vwIDAQAB | 1024-bit RSA | Upgrade DKIM key to 2048-bit RSA |
| selector1._domainkey.t2.dkim.domain.test | v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxti98dyyS0JDQ8aKmX/0K2vaOeSpOAhD72Xokk3ZFu+ySkN8JPKbDrQQqu87n9m2XCh5nNGlDmYyEVlTVUTMu/BvbMQQu+/Rk3n+s79c60+avNiVK1JFVst/xpXfB+5gvn4qywG+emIH9XfaEwjuH3lxDVZArtjf0TMSwmnl1OxpH2KGuQP6PWlhj1BLC3/xLGVp/up7p1XzbBzLzLd6tNAEUU0304hBGK5mNYPg2ENmHHaWyOzx94px73MvD4z7FZ3E7wvotrd6pMnWUKIkoQLoVHSXvfmLUb7KerEJ2f83qQVuhTzVzJzCJAmOPAeZFjG05pmOTaKn+8CeZOXR8QIDAQAB | 2048-bit RSA | TBD |
| selector1._domainkey.t3.dkim.domain.test | v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxti98dyyS0JDQ8aKmX/0K2vaOeSpOAhD72Xokk3ZFu+ySkN8JPKbDrQQqu87n9m2XCh5nNGlDmYyEVlTVUTMu/BvbMQQu+/Rk3n+s79c60+avNiVK1JFVst/xpXfB+5gvn4qywG+emIH9XfaEwlxDVZArtjf0TMSwmnl1OxpH2KGuQP6PWlhj1BLC3/xLGVp/up7p1XzbBzLzLd6tNAEUU0304hBGK5mNYPg2ENmHHaWyOzx94px73MvD4z7FZ3E7wvotrd6pMnWUKIkoQLoVHSXvfmLUb7KerEJ2f83qQVuhTzVzJzCJAmOPAeZFjG05pmOTaKn+8CeZOXR8QQAB | Invalid public key | TBD |
| selector1._domainkey.t4.dkim.domain.test | v=DKIM1; k=rsa; p=??? | 768-bit RSA | TBD |
| selector1._domainkey.t5.dkim.domain.test | v=DKIM1; k=rsa; t=y; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxti98dyyS0JDQ8aKmX/0K2vaOeSpOAhD72Xokk3ZFu+ySkN8JPKbDrQQqu87n9m2XCh5nNGlDmYyEVlTVUTMu/BvbMQQu+/Rk3n+s79c60+avNiVK1JFVst/xpXfB+5gvn4qywG+emIH9XfaEwjuH3lxDVZArtjf0TMSwmnl1OxpH2KGuQP6PWlhj1BLC3/xLGVp/up7p1XzbBzLzLd6tNAEUU0304hBGK5mNYPg2ENmHHaWyOzx94px73MvD4z7FZ3E7wvotrd6pMnWUKIkoQLoVHSXvfmLUb7KerEJ2f83qQVuhTzVzJzCJAmOPAeZFjG05pmOTaKn+8CeZOXR8QIDAQAB | Contains testing tag | TBD |
| selector1._domainkey.t6.dkim.domain.test | v=DKIM1; k=rsa; a=invalid; h=invalid; t=invalid; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxti98dyyS0JDQ8aKmX/0K2vaOeSpOAhD72Xokk3ZFu+ySkN8JPKbDrQQqu87n9m2XCh5nNGlDmYyEVlTVUTMu/BvbMQQu+/Rk3n+s79c60+avNiVK1JFVst/xpXfB+5gvn4qywG+emIH9XfaEwjuH3lxDVZArtjf0TMSwmnl1OxpH2KGuQP6PWlhj1BLC3/xLGVp/up7p1XzbBzLzLd6tNAEUU0304hBGK5mNYPg2ENmHHaWyOzx94px73MvD4z7FZ3E7wvotrd6pMnWUKIkoQLoVHSXvfmLUb7KerEJ2f83qQVuhTzVzJzCJAmOPAeZFjG05pmOTaKn+8CeZOXR8QIDAQAB | Invalid values | TBD |
| selector1._domainkey.t7.dkim.domain.test | v=DKIM1; k=rsa; invalid=y; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxti98dyyS0JDQ8aKmX/0K2vaOeSpOAhD72Xokk3ZFu+ySkN8JPKbDrQQqu87n9m2XCh5nNGlDmYyEVlTVUTMu/BvbMQQu+/Rk3n+s79c60+avNiVK1JFVst/xpXfB+5gvn4qywG+emIH9XfaEwjuH3lxDVZArtjf0TMSwmnl1OxpH2KGuQP6PWlhj1BLC3/xLGVp/up7p1XzbBzLzLd6tNAEUU0304hBGK5mNYPg2ENmHHaWyOzx94px73MvD4z7FZ3E7wvotrd6pMnWUKIkoQLoVHSXvfmLUb7KerEJ2f83qQVuhTzVzJzCJAmOPAeZFjG05pmOTaKn+8CeZOXR8QIDAQAB | Invalid tag | TBD |
DKIM ECC - RFC
DMARC - RFC????
Each DMARC entry is meant for tX.dmarc.domain.test so they will be added in the expected _dmarc location.
| Record name | Value | Purpose of test | Guidance |
|---|---|---|---|
| _dmarc.t1.dmarc.domain.test | does not exist, TXT lookup should return NXDOMAIN | Missing DMARC | Add initial DMARC |
| _dmarc.t2.dmarc.domain.test | invalid | Other entries exist, but no DMARC | Add initial DMARC |
| _dmarc.t3.dmarc.domain.test | v=DMARC1; p=other; rua=mailto:dmarc@domain.test | Invalid policy | TBD |
| _dmarc.t4.dmarc.domain.test | v=DMARC1; p=none; rua=dmarc@domain.test | Missing mailto: in RUA | Add initial DMARC |
| _dmarc.t5.dmarc.domain.test | v=DMARC1; p=none; ruf=dmarc@domain.test | Missing mailto: in RUF | TBD |
| _dmarc.t6.dmarc.domain.test | v=DMARC1; p=none; sp=other; rua=mailto:dmarc@domain.test | Invalid subdomain policy | TBD |
| _dmarc.t7.dmarc.domain.test | v=DMARC1; p=none; pct=other; rua=mailto:dmarc@domain.test | Invalid pct | TBD |
| _dmarc.t8.dmarc.domain.test | v=DMARC1; p=none; pct=-3; rua=mailto:dmarc@domain.test | Invalid pct | TBD |
| _dmarc.t9.dmarc.domain.test | v=DMARC1; p=none; pct=4.5; rua=mailto:dmarc@domain.test | Invalid pct | TBD |
| _dmarc.t10.dmarc.domain.test | v=DMARC1; p=none; pct=1000; rua=mailto:dmarc@domain.test | Invalid pct | TBD |
| _dmarc.t11.dmarc.domain.test | v=DMARC1; p=none; rua=mailto:dmarc@thirdparty.test | Legal record but missing third-party verification lookup | TBD |
| _dmarc.sub.t12.dmarc.domain.test | does not exist, TXT lookup should return NXDOMAIN | Lookup for 'sub.t12.dmarc.domain.test' which does not exist but it should find the organizational t12 record | TBD |
| _dmarc.t12.dmarc.domain.test | v=DMARC1; p=none; rua=mailto:dmarc@thirdparty.test | Lookup for 'sub.t12.dmarc.domain.test' which does not exist but it should find the organizational t12 record | TBD |
| _dmarc.cname.t13.dmarc.domain.test | CNAME to _dmarc.txt.t13.dmarc.domain.test | Should follow CNAME to TXT | TBD |
| _dmarc.txt.t13.dmarc.domain.test | v=DMARC1; p=none; rua=mailto:dmarc@domain.test | Should follow CNAME to TXT | TBD |
| _dmarc.txt.t14.dmarc.domain.test | v=DMARC1; p=none; pct=0; rua=mailto:dmarc@domain.test | pct=0 invalid | TBD |
| _dmarc.txt.t15.dmarc.domain.test | v=DMARC1; p=none; pct=50; rua=mailto:dmarc@domain.test | p=none should use pct100 or not include tag | TBD |
This project was built by the Treasury Board of Canada Secretariat in collaboration with the Canadian Centre for Cyber Security.