Series: PowerShell Monitoring

Monitoring with PowerShell: Monitoring M365 SPF,DKIM, and DMARC

Kelvin Tegelaar | 26 Apr, 2021 | 2 Mins Read

In one of the groups that I frequent there recently was a small discussion about mail deliverability, some of the MSPs in that group started using external products to check if their DNS records are configured correctly for optimal delivery in regards to spam checking, filterings, etc. I figured I could show them how to do the same in PowerShell, which would ease the burden and they could remove yet another product from their stack. ๐Ÿ™‚

The script uses the secure application model to connect to M365, it then collects all domains that are not the onmicrosoft one, and performs DNS checks on these domains. That way you can immediately see if the configuration is correct or needs some adjustsments.

The Script

######### Secrets #########
$ApplicationId = 'ApplicaitonId'
$ApplicationSecret = 'ApplicationSecret' | ConvertTo-SecureString -Force -AsPlainText
$TenantID = 'TenantID'
$RefreshToken = 'VeryLongRefreshToken'
######### Secrets #########
$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, $ApplicationSecret)

$aadGraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.windows.net/.default' -ServicePrincipal -Tenant $tenantID
$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal -Tenant $tenantID

Connect-MsolService -AdGraphAccessToken $aadGraphToken.AccessToken -MsGraphAccessToken $graphToken.AccessToken

$domains = Get-MsolPartnerContract -All | Get-MsolDomain | where-object -Property IsInitial -eq $false
$Results = foreach ($Domain in $Domains) {

    $Selector1 = Resolve-DnsName -name "selector1._domainkey.$($Domain.name)" -Type CNAME -ErrorAction SilentlyContinue
    $selector2 = Resolve-DnsName -name "selector2._domainkey.$($Domain.name)" -Type CNAME -ErrorAction SilentlyContinue
    $DMARC = Resolve-DnsName -name "_dmarc.$($Domain.Name)" -Type TXT -ErrorAction SilentlyContinue
    $SPF = Resolve-DnsName -name "$($Domain.name)" -Type TXT -ErrorAction SilentlyContinue | Where-Object { $_.strings -like 'v=spf1*' }

    [PSCustomObject]@{
        'Domain'                     = $domain.Name
        "DKIM Selector 1 Configured" = [bool]$selector1
        "DKIM Selector 2 Configured" = [bool]$selector2
        'DMARC configured'           = [bool]$DMARC
        'SPF Configured'             = [bool]$SPF
        'DMARC Value'                = $DMARc.Strings
        'SPF Value'                  = $spf.strings
    }

}

$results | format-table

And thatโ€™s it! as always, Happy PowerShelling!

Recent Articles

Announcements
CIPP โค๏ธ #IntuneForMSPs
17 Mar, 2026|4 Mins Read

We’re Joining #IntuneForMSPs ๐ŸŽ‰

Being invited by Microsoft to join a global initiative is a big moment for us, and we want to be clear about why it matters. #IntuneForMSPs is Microsoft’s program to help MSPs deliver Microsoft 365, Intune, and Copilot services at scale, and CIPP is now part of it, bringing the largest MSP community in the channel directly to Microsoft.

Series: PowerShell Automation
The return of CyberDrain CTF
09 Jan, 2023|2 Mins Read

CyberDrain CTF returns! (and so do I!)

It’s been since september that I actually picked up a digital pen equivalent and wrote anything down. This was due to me being busy with life but also my side projects like CIPP. I’m trying to get back into the game of scripting and blogging about these scripts. There’s still so much to automate and so little time, right? ;)

Series: PowerShell Monitoring
Monitoring with PowerShell: Monitoring Acronis Backups
05 Sep, 2022|3 Mins Read

Intro

This is a monitoring script requested via Reddit, One of the reddit r/msp users wondered how they can monitor Acronis a little bit easier. I jumped on this because it happened pretty much at the same time that I was asked to speak at the Acronis CyberSummit so it kinda made sense to script this so I have something to demonstrate at my session there.