Email Headers Verification

Email headers verify library

This library is created to help determine which email message was really sent by the author from a FROM field and which one was not.

Why do I need this?

1. To automate service that works with a lot of incoming email messages.
2. To improve quality of service and stop spam messages before they get into the customer inbox.
3. To have personal communication only with trusted people.
4. To be able to warn customers about potential misleading.

Verification process

Verification process separated to a several independent steps:

1. DKIM signature verification
2. SPF records check
3. SMTP user request

If you want to have the strictest rules, you should only trust email messages, which gets all three methods positive results. On the other hand feel free to use combination of methods, depending on your requirements.

DKIM verification

This type of email headers verification finds all DKIM-Signature headers of the message and perform verification based on RFC 4871.

use EmailServiceEmailService;

require __DIR__ . '/src/autoload.php';

$message      = $_POST['message'];
$emailService = new EmailService();
$result       = $emailService->validateDkim($message);

The result of this code contains status of each DKIM header and total status, which equals false if one of the headers did not pass the test:

array(2) {
    ["total"] => true
    ["result"] => 
    array(1) {
        [0] =>
        array(1) {
          [0] =>
          array(2) {
              ["status"] => "PASS"
              ["reason"] => "Success!"
            }
        }
    }
}

In case of error:

array(2) {
    ["total"] => false
    ["result"] => 
    array(1) {
        [0] =>
        array(1) {
          [0] =>
          array(2) {
              ["status"] => "PERMFAIL"
              ["reason"] => "signature did not verify (gmail.com key #0)"
            }
        }
    }
}

SPF record check

SPF record check verifies if IP of the sender belongs to the list of IPs in the SPF DNS record of the sender domain. Domains are taken from From and Return-Path headers. IP is taken from Received header.

use EmailServiceEmailService;

require __DIR__ . '/src/autoload.php';

$message      = $_POST['message'];
$emailService = new EmailService();
$result       = $emailService->validateSpf($message);

The response array will contain results for each IP and domain.

array(3) {
    ["total"] => true
    [0] => 
    array(3) {
        ["ip"] => "94.100.176.158"
        ["domain"] => "gmail.com"
        ["status"] => false
    }
    [1] =>
    array(3) {
        ["ip"] => "209.85.212.178"
        ["domain"] => "gmail.com"
        ["status"] => true
    }
}

The total result is considered true if at least one of the SPF records includes searched IP address.

SMTP user request

This method performs request to SMTP server of the sender to check if user, who sent the message, exist on that server.

use EmailServiceEmailService;

require __DIR__ . '/src/autoload.php';

$message      = $_POST['message'];
$emailService = new EmailService();
$result       = $emailService->validateSmtp($message);

Result contains information about each user from From and Return-Path headers. If all the users exist, total is true, otherwise - false.

array(2) {
    ["total"] => true
    ["result"] => 
    array(1) {
        ["john.appleseed@gmail.com"] => true
    }
}

Tips

To get better and faster results it is recommended to run script on the machine with correct DNS records. Otherwise validateSmtp() method might return false negative result.

© 2015 Ilya Tsarev