Monitoring with PowerShell: Monitoring M365 SPF,DKIM, and DMARC

In one of the groups that I frequent there recently was a small discussion about mail deliverability, some of the MSPs in that group started using external products to check if their DNS records are configured correctly for optimal delivery in regards to spam checking, filterings, etc. I figured I could show them how to do the same in PowerShell, which would ease the burden and they could remove yet another product from their stack. 🙂

The script uses the secure application model to connect to M365, it then collects all domains that are not the onmicrosoft one, and performs DNS checks on these domains. That way you can immediately see if the configuration is correct or needs some adjustsments.

The Script

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34


######### Secrets #########
$ApplicationId = 'ApplicaitonId'
$ApplicationSecret = 'ApplicationSecret' | ConvertTo-SecureString -Force -AsPlainText
$TenantID = 'TenantID'
$RefreshToken = 'VeryLongRefreshToken'
######### Secrets #########
$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, $ApplicationSecret)

$aadGraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.windows.net/.default' -ServicePrincipal -Tenant $tenantID
$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal -Tenant $tenantID

Connect-MsolService -AdGraphAccessToken $aadGraphToken.AccessToken -MsGraphAccessToken $graphToken.AccessToken

$domains = Get-MsolPartnerContract -All | Get-MsolDomain | where-object -Property IsInitial -eq $false
$Results = foreach ($Domain in $Domains) {

    $Selector1 = Resolve-DnsName -name "selector1._domainkey.$($Domain.name)" -Type CNAME -ErrorAction SilentlyContinue
    $selector2 = Resolve-DnsName -name "selector2._domainkey.$($Domain.name)" -Type CNAME -ErrorAction SilentlyContinue
    $DMARC = Resolve-DnsName -name "_dmarc.$($Domain.Name)" -Type TXT -ErrorAction SilentlyContinue
    $SPF = Resolve-DnsName -name "$($Domain.name)" -Type TXT -ErrorAction SilentlyContinue | Where-Object { $_.strings -like 'v=spf1*' }

    [PSCustomObject]@{
        'Domain'                     = $domain.Name
        "DKIM Selector 1 Configured" = [bool]$selector1
        "DKIM Selector 2 Configured" = [bool]$selector2
        'DMARC configured'           = [bool]$DMARC
        'SPF Configured'             = [bool]$SPF
        'DMARC Value'                = $DMARc.Strings
        'SPF Value'                  = $spf.strings
    }

}

$results | format-table

And that’s it! as always, Happy PowerShelling!