Validating e

[M.O.S. Studios]

Hey everyone,

 

I am piping email to a php scripts. I am doing this to automate some processes.

I would like to program the script to check the email of the sender, and delete any that are not on an approved list.

Is there a way to validate the email isn't spoofed? I’d like to make sure the email is actually from the domain they claim to be from

 

Thanks in advance!

[requinix]

No, there's no way to authenticate an email like that. Maybe if the protocol had been designed within the last decade or so they would have considered that, but right now, the identities behind email accounts are entirely unknowable.

The best you can do is what I'm sure you've seen other sites do: send the email with a confirmation code or link and have the user enter/click that so you know they received it.

[M.O.S. Studios]

8 hours ago, requinix said:

No, there's no way to authenticate an email like that. Maybe if the protocol had been designed within the last decade or so they would have considered that, but right now, the identities behind email accounts are entirely unknowable.

The best you can do is what I'm sure you've seen other sites do: send the email with a confirmation code or link and have the user enter/click that so you know they received it.

Thanks for the reply.

 

That's unfortunate. I am not using it as a client e-mail validator. Here in Canada, we use E-transfer for payments. Essentially, people can send you money all they need to know is your email. It's pretty awesome. When you receive payment; you get an email from Interac (it's like Visa, but only for debit transactions).

I plan to have a dedicated email for E-transfers and pipe all incoming e-mails to a PHP script. When Interact sends a confirmation email; the php program will automatically mark the order as paid. My concern is that someone could easily spoof an email like that. So I was hoping there was a way to validate the email

[requinix]

...Oh wait, you want to validate the sender? I completely misunderstood what you were asking for.

Good news: validation of an email's sender is more or less a solved problem with SPF and DKIM records. It's up to the sender to opt-into those things, but if they do, emails passing validation can be pretty confidently attributed to that sender.
So check if your emails are being validated like that - which they really ought to be, and I'd be surprised if they weren't. If so then you should be able to retrieve that validation information through PHP.

[M.O.S. Studios]

50 minutes ago, requinix said:

...Oh wait, you want to validate the sender? I completely misunderstood what you were asking for.

Good news: validation of an email's sender is more or less a solved problem with SPF and DKIM records. It's up to the sender to opt-into those things, but if they do, emails passing validation can be pretty confidently attributed to that sender.
So check if your emails are being validated like that - which they really ought to be, and I'd be surprised if they weren't. If so then you should be able to retrieve that validation information through PHP.

Yeah, That's so amazing to hear. Do you have any libraries you can recommend? When I look up this topic, the majority of stuff is about validating the content of an outgoing email, as opposed to what I am looking for.

[requinix]

It'll depend on your email provider. For example, Gmail adds headers to the message detailing its attempt to authenticate the sender. These are from an email from GitHub:

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@github.com header.s=pf2023 header.b=bHsZs+1u;
       spf=pass (google.com: domain of noreply@github.com designates 192.30.252.210 as permitted sender) smtp.mailfrom=noreply@github.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=github.com
Received-SPF: pass (google.com: domain of noreply@github.com designates 192.30.252.210 as permitted sender) client-ip=192.30.252.210;

Here, you'd retrieve the full message from Gmail and then look for those headers.

[M.O.S. Studios]

45 minutes ago, requinix said:

It'll depend on your email provider. For example, Gmail adds headers to the message detailing its attempt to authenticate the sender. These are from an email from GitHub:

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@github.com header.s=pf2023 header.b=bHsZs+1u;
       spf=pass (google.com: domain of noreply@github.com designates 192.30.252.210 as permitted sender) smtp.mailfrom=noreply@github.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=github.com
Received-SPF: pass (google.com: domain of noreply@github.com designates 192.30.252.210 as permitted sender) client-ip=192.30.252.210;

Here, you'd retrieve the full message from Gmail and then look for those headers.

Sorry, I meant can you recommend a good php library that can verify its not a spoof once I get the headers.

[requinix]

A library for a one-line regular expression?

One step at a time. Get the headers first, then see exactly what you have to work with.

[M.O.S. Studios]

10 minutes ago, requinix said:

A library for a one-line regular expression?

One step at a time. Get the headers first, then see exactly what you have to work with.

Is it really just regex? That’s way easier than I thought it was going to be.

 

I assumed I needed to grab some kind of address, then verify it using a service.

 

thanks! I will look more into this andmuodate the post 

 

 

[M.O.S. Studios]

Ok! So I have been doing the following research:

1. I watched this video to understand how these protocols work
2. I took a look at the headers you posted
3. I sent my php script some real, and spoofed emails

I now have a better understanding of what you were explaining to me.

My email server does all the checking for me and puts the results into the header of the email.

 

All I need to do is create a php script that checks the headers to see if it passed. Thus the regex code.

 

Is that correct?

[Danishhafeez]

es, you can implement several methods to help verify that an email isn't spoofed and that it's from the claimed domain. Here are a few techniques you can use:

SPF (Sender Policy Framework): SPF allows the domain owner to specify which mail servers are allowed to send email on behalf of their domain. You can check if the sender's IP address is listed in the SPF record of the claimed domain.

DKIM (DomainKeys Identified Mail): DKIM adds a digital signature to the email headers, which can be verified against a public key published in the DNS records of the claimed domain.

 

Best Regard

Danish hafeez | QA Assistant

ICTInnovations

[requinix]

9 hours ago, M.O.S. Studios said:

All I need to do is create a php script that checks the headers to see if it passed. Thus the regex code.

Is that correct?

Probably, yes. Like I said, get yourself the email and headers in your PHP code and see what you have to work with. If the headers include the results of your provider validating the email, like apparently it does, then that's all you need to do and there's no need for what ChatGPT said about verifying it yourself.

[gizmola]

19 hours ago, M.O.S. Studios said:

Ok! So I have been doing the following research:

1. I watched this video to understand how these protocols work
2. I took a look at the headers you posted
3. I sent my php script some real, and spoofed emails

I now have a better understanding of what you were explaining to me.

My email server does all the checking for me and puts the results into the header of the email.

All I need to do is create a php script that checks the headers to see if it passed. Thus the regex code.

Is that correct?

 

Yes, however, people can actually use a DMarc configuration to just flat out reject or quarantine emails that fail SPF or DKIM validation.  

The other thing to do is to make sure all the domains lineup, so that the user@domain of the email matches the domain check for SPF and DKIM.

[M.O.S. Studios]

function spamTest($header){

$output_array = preg_grep('/^(X-Spam-Score:)\s([-+]?\d{1,3}\.\d)?/i', explode("\n", $header));

list($xSpamScore, $score) = explode(": ", $output_array[array_key_first($output_array)]);

return ($score < 5);

}

I ran the email header into this and it seems to work.