0

How To Use Nslookup To Check DMARC Record

One of my customers wanted to verify their Domain Based Message Reporting Conformance (DMARC) record, and followed the post How To Use Nslookup To Check DNS TXT Record but ran into issues. They were not seeing any results.  Hmm strange; the DMARC record had been created and was visible in online diagnostic tools.  Why was it not showing up for them in a manual check?

The below is an example of what they saw.

Note that the query type is set to TXT and then we query the tailspintoys.ca domain for it’s record types.  The default DNS server was used in this example and can be easily changed with the SERVER option.

set q=txt
tailspintoys.ca

Querying TXT Records Using NSLookup

TL;DR  What Went Wrong?

In short, the wrong syntax was used. DMARC records are published into DNS with a subdomain label of _DMARC.  This means that the DMARC record for the tailspintoys.ca domain will be located in:
_DMARC.tailspintoys.ca

As mentioned in How To Check Exchange Autodiscover SRV Record Using Nslookup, there are two ways to run nslookup – interactive and noninteractive.  Noninteractive is good when you know that you only want to query a single piece of data.  Interactive allows multiple queries using a single instance of nslookup, and options can be toggled on and off as needed.  Examples of both methods are below.

 

Interactive

In this interactive example we enter into nslookup and then set the query type to be txt.

nslookup.exe
set q=txt
_DMARC.tailspintoys.ca

NSLOOKUP In Interactive Mode To Query DMARC Record

 

Non-Interactive

For this example a single command is issued that will perfom the query directly from the cmd shell.

NSLookup.exe -q=txt  _DMARC.Tailspintoys.ca

NSLOOKUP In Non-Interactive Mode To Query DMARC Record

NB - Common Issue

Note that we need to specify the TXT option as that is the record type used for DMARC records as per the specification in RFC 7489.
If we fail to do so, then nslookup defaults to A+AAAA record look up which will not find the DMARC TXT record.

image

A+AAAA – this allows nslookup to query for both IPv4 and IPv6 A records rather than have to specify both.

If you receive an error saying "Invalid Option" when specifying the record type, ensure that the q in "q=txt" is entered in lower case.  Windows does not have many case sensitivity things, but that is one of them.

Cheers,

Rhoderick

Rhoderick Milne [MSFT]

Leave a Reply

Your email address will not be published.