Easily list mail DNS records via this PowerShell script

PowerShell Core logo Reading Time: 2 minutes

I get to investigate quite some mail environments in my work as a consultant. At a certain point you see some patterns emerging. One of those patterns is the correct configuration of mail related DNS records. It's one of the first things I check when I must check an unfamiliar environment. I have talked about this anti-spoofing topic on numerous occasions. I would compare it to a ping test when there are network issues.

For several years I have worked on a simple PowerShell script that lists quickly listed the MX, SPF, DMARC DNS records and recently added some DKIM selector checks as well. It is a bit of a hassle to do by hand or to find out checking the DNS configuration. And I decided to share this script to the public. I hope it will help with the correct configuration of those records and limit mail issues and spoofing.

You can download the script at GitHub.

Easily list your domains with this PowerShell script by either using Exchange (Remote) PowerShell. It will automatically check all your accepted domains either on-premises or in the cloud. If you can't connect to an Exchange environment, you can specify a single mail domain just running PowerShell.

Screenshot of the script output for one specific domain.
Example script output for one specific domain listing MX , SPF , DMARC records and the presence of DKIM records.

You still must work to improve the environment if required, but I found this tool immensely helpful and takes some burden away. As a PowerShell script should do. Feel free to leave comments, issues, feature request and the like. I have some things I want to add such as DANE and MTA-STS and some other things.

It's the first time I've published a script of mine publicly, so my GitHub page might be rough 😉


  • Very good script! Maybe better to use $AcceptedDomains = (Get-AcceptedDomain).domainname on line 129? Now it pick up the Name of the Accepted Domain and not the Domain name. Name can be something other than the Domain name in some Exchange enviroment.

    • Oh yes, that's certainly better! I thought I had fixed that but will do that soon. Not something that is triggered in my environments, as I keep the name and domain value the same. But you are right, it doesn't have to.
      Thanks for catching that and reporting it!

  • Phil Pennock

    Neat to see; in case it helps, I have a bash script, "dns-email", which does much the same, with a few more checks thrown in:

    Rather less color (can get it for errors with -c); invoke script -h to see usage.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.