Project 15: Email Authentication Dashboard
Build a web dashboard that evaluates a domain’s SPF, DKIM, and DMARC configuration with recommendations.
Quick Reference
| Attribute | Value |
|---|---|
| Difficulty | Advanced |
| Time Estimate | 2-3 weeks |
| Language | Python (Flask/FastAPI) (Alternatives: Go, Node.js) |
| Prerequisites | DNS queries, web development basics |
| Key Topics | Integrated auth checks, UX reporting, caching |
1. Learning Objectives
- Integrate SPF, DKIM, and DMARC checks into a single report.
- Build a web UI that explains results clearly.
- Implement caching to reduce DNS load.
- Provide actionable recommendations for configuration improvements.
2. Theoretical Foundation
2.1 Core Concepts
- Authentication chain: SPF and DKIM feed into DMARC.
- Selector discovery: DKIM keys are stored at selector._domainkey.
- Alignment: DMARC depends on alignment with From domain.
- Explainability: Results must be clear for non-expert users.
2.2 Why This Matters
Most organizations misconfigure email authentication. A dashboard bridges the gap between technical records and actionable guidance.
2.3 Historical Context / Background
Email authentication has grown from SPF to DKIM to DMARC. Tooling is still fragmented and requires integration.
2.4 Common Misconceptions
- Misconception: A single SPF record is always enough. Reality: SPF can be valid but too permissive.
- Misconception: DKIM is present if a selector exists. Reality: Key format and size matter.
3. Project Specification
3.1 What You Will Build
A web application that accepts a domain, performs DNS queries for SPF/DKIM/DMARC, validates them, and displays a score with recommendations.
3.2 Functional Requirements
- Input domain and run SPF, DKIM selector checks, and DMARC validation.
- Display results in a dashboard with pass/fail indicators.
- Provide recommendations (e.g., use -all, add DMARC policy).
- Cache results with TTL to reduce repeated queries.
3.3 Non-Functional Requirements
- Performance: Render results in under 1 second after DNS.
- Reliability: Handle DNS timeouts and missing records.
- Usability: Clear UI and consistent scoring.
3.4 Example Usage / Output
Browser: http://localhost:5000/check/example.com
SPF: PASS (v=spf1 include:_spf.example.com -all)
DKIM: FOUND (selector1, selector2)
DMARC: PASS (p=reject)
Score: 92/100
Recommendations: tighten SPF if using ~all
3.5 Real World Outcome
You can audit domain authentication posture quickly and provide recommendations for deliverability and security.
4. Solution Architecture
4.1 High-Level Design
Web UI
-> API Endpoint
-> DNS Query Layer
-> SPF/DKIM/DMARC Evaluators
-> Score Engine
-> Cache
4.2 Key Components
| Component | Responsibility | Key Decisions |
|---|---|---|
| DNS Layer | Query TXT and MX | Add timeout and retry |
| Evaluators | SPF/DKIM/DMARC parsing | Reuse existing logic |
| Score Engine | Compute score | Transparent weighting |
| UI | Display results | Show raw records and hints |
4.3 Data Structures
class DomainReport:
def __init__(self, domain, spf, dkim, dmarc, score, hints):
self.domain = domain
self.spf = spf
self.dkim = dkim
self.dmarc = dmarc
self.score = score
self.hints = hints
4.4 Algorithm Overview
Key Algorithm: Scoring
- Start at 100.
- Deduct for missing SPF/DKIM/DMARC.
- Deduct for weak policy (~all or p=none).
- Output score and reasons.
Complexity Analysis:
- Time: O(n) for DNS lookups
- Space: O(1)
5. Implementation Guide
5.1 Development Environment Setup
python -m venv .venv
source .venv/bin/activate
python -m pip install flask dnspython
5.2 Project Structure
auth-dashboard/
├── app.py
├── dns.py
├── evaluators/
│ ├── spf.py
│ ├── dkim.py
│ └── dmarc.py
├── templates/
└── static/
5.3 The Core Question You’re Answering
“Is this domain configured for modern email authentication, and what should be improved?”
5.4 Concepts You Must Understand First
Stop and research these before coding:
- SPF syntax and lookup limits
- DKIM selectors and key sizes
- DMARC policy tags
- DNS TTL and caching
5.5 Questions to Guide Your Design
- How will you choose which DKIM selectors to test?
- How will you score a domain with partial auth?
- What is your caching strategy and TTL?
5.6 Thinking Exercise
If SPF passes but DMARC is missing, what should the dashboard score and recommend?
5.7 The Interview Questions They’ll Ask
- “How do SPF, DKIM, and DMARC relate?”
- “What is a good DMARC policy for a mature domain?”
- “Why is caching essential for DNS-heavy tools?”
5.8 Hints in Layers
Hint 1: Reuse your SPF/DKIM/DMARC logic
- Avoid reimplementing from scratch.
Hint 2: Provide raw DNS records
- Let users see exact data.
Hint 3: Keep recommendations simple
- Focus on clear, actionable changes.
5.9 Books That Will Help
| Topic | Book | Chapter |
|---|---|---|
| DNS | TCP/IP Illustrated Vol 1 | Ch. 11 |
| Email auth | RFC 7208/6376/7489 | key sections |
| Web basics | Flask docs | quickstart |
5.10 Implementation Phases
Phase 1: Foundation (4-5 days)
Goals:
- Build API and DNS layer
Tasks:
- Create endpoint /check/
. - Implement DNS TXT lookups.
Checkpoint: Returns raw records.
Phase 2: Core Functionality (1 week)
Goals:
- Add evaluators and scoring
Tasks:
- Parse and evaluate SPF/DKIM/DMARC.
- Compute score and hints.
Checkpoint: Score and hints displayed.
Phase 3: Polish and Edge Cases (4-5 days)
Goals:
- UI and caching
Tasks:
- Add HTML templates and styling.
- Implement TTL cache.
Checkpoint: Fast, usable dashboard.
5.11 Key Implementation Decisions
| Decision | Options | Recommendation | Rationale |
|---|---|---|---|
| Framework | Flask vs FastAPI | Flask | Simpler for UI |
| Cache | in-memory vs Redis | in-memory | Easier setup |
| DKIM selectors | static list vs discovery | static list | Practical and fast |
6. Testing Strategy
6.1 Test Categories
| Category | Purpose | Examples |
|---|---|---|
| Unit Tests | SPF/DKIM/DMARC parsing | tag parsing |
| Integration Tests | Real domains | google.com |
| Edge Case Tests | Missing records | no DMARC |
6.2 Critical Test Cases
- Domain with no DMARC shows warning.
- Weak SPF yields deduction.
- DKIM missing reports selector not found.
6.3 Test Data
_dmarc.example.com TXT "v=DMARC1; p=reject"
7. Common Pitfalls and Debugging
7.1 Frequent Mistakes
| Pitfall | Symptom | Solution |
|---|---|---|
| DNS rate limits | errors | cache and throttle |
| Misparsed TXT | wrong results | join TXT chunks |
| Overly strict scoring | low scores | adjust weights |
7.2 Debugging Strategies
- Display raw TXT records.
- Compare with external tools.
7.3 Performance Traps
- Re-querying DNS on every page load. Use TTL cache.
8. Extensions and Challenges
8.1 Beginner Extensions
- Add JSON API output.
- Add exportable reports.
8.2 Intermediate Extensions
- Implement selector discovery by brute force.
- Add MTA-STS and TLS-RPT checks.
8.3 Advanced Extensions
- Build multi-domain scanning and alerts.
- Add historical score tracking.
9. Real-World Connections
9.1 Industry Applications
- Security teams audit domain authentication.
- Deliverability teams track changes and regressions.
9.2 Related Open Source Projects
- dmarcian and mxtoolbox for comparisons
9.3 Interview Relevance
- Integrated auth evaluation and reporting are common in email security roles.
10. Resources
10.1 Essential Reading
- RFC 7208 - SPF
- RFC 6376 - DKIM
- RFC 7489 - DMARC
10.2 Video Resources
- Email authentication overview sessions
10.3 Tools and Documentation
- dnspython docs
10.4 Related Projects in This Series
11. Self-Assessment Checklist
11.1 Understanding
- I can explain SPF/DKIM/DMARC roles
- I understand selector discovery
- I can design a scoring system
11.2 Implementation
- Dashboard renders results correctly
- DNS caching works
- Recommendations are actionable
11.3 Growth
- I can extend to other email security standards
- I can communicate findings to non-technical users
12. Submission / Completion Criteria
Minimum Viable Completion:
- Show SPF, DKIM, DMARC status for a domain
Full Completion:
- Provide score and recommendations
Excellence (Going Above and Beyond):
- Add monitoring and historical tracking
This guide was generated from EMAIL_SYSTEMS_DEEP_DIVE_PROJECTS.md. For the complete learning path, see the parent directory.