Skip to main content


This Script is part of the Phishing Pack.#

Checks the authenticity of an email based on the email's SPF, DMARC, and DKIM.

Script Data#

Script Typepython3
Tagsphishing, ews, email
Cortex XSOAR Version5.0.0

Used In#

This script is used in the following playbooks and scripts.

  • Agari Message Remediation - Agari Phishing Defense
  • Email Headers Check - Generic
  • Phishing - Generic v3
  • Phishing Investigation - Generic v2
  • Report Categorization - Cofense Triage v3


Argument NameDescription
headersA list of dictionaries of headers in the form of "Header name":"Header value".
original_authentication_headerThe header that holds the original Authentication-Results header value. This can be used when an intermediate server changes the original email and holds the original header value in a different header. Note - Use this only if you trust the server creating this header.
SPF_override_noneOverride value for SPF=None.
SPF_override_neutralOverride value for SPF=neutral.
SPF_override_passOverride value for SPF=pass.
SPF_override_failOverride value for SPF=fail.
SPF_override_softfailOverride value for SPF=softfail.
SPF_override_temperrorOverride value for SPF=temperror.
SPF_override_permerrorOverride value for SPF=permerror.
DKIM_override_noneOverride value for DKIM=none.
DKIM_override_passOverride value for DKIM=pass.
DKIM_override_failOverride value for DKIM=fail.
DKIM_override_policyOverride value for DKIM=policy.
DKIM_override_neutralOverride value for DKIM=neutral.
DKIM_override_temperrorOverride value for DKIM=temperror.
DKIM_override_permerrorOverride value for DKIM=permerror.
DMARC_override_noneOverride value for DMARC=none.
DMARC_override_passOverride value for DMARC=pass.
DMARC_override_failOverride value for DMARC=fail.
DMARC_override_temperrorOverride value for DMARC=temperror.
DMARC_override_permerrorOverride value for DMARC=permerror.


Email.SPF.MessageIDSPF IDString
Email.SPF.Validation-ResultValidation Result. Possible values are "None", "Neutral", "Pass", "Fail", "SoftFail", "TempError", and "PermError".String
Email.SPF.ReasonReason for the SPF result, which is located in the headers of the email.String
Email.SPF.Sender-IPEmail sender IP address.String
Email.DKIM.Message-IDDKIM ID.String
Email.DKIM.ReasonDKIM reason (if found).String
Email.DMARC.Message-IDDMARC ID.String
Email.DMARC.Validation-ResultDMARC reason. Possible values are "None", "Pass", "Fail", "Temperror", and "Permerror".String
Email.DMARC.TagsDMARC Tags (if found)String
Email.DMARC.From-DomainSender's DomainString
Email.DKIM.Signing-DomainSender's DomainString
Email.AuthenticityCheckPossible values are be: Fail / Suspicious / Undetermined / PassUnknown
Email.DKIMDKIM information extracted from the email.Unknown
Email.SPFSPF information extracted from the email.Unknown
Email.DMARCDMARC information extracted from the email.Unknown
Email.DKIM.Validation-ResultValidation result. Possible values are "None", "Pass", "Fail", "Policy", "Neutral", "Temperror", and "Permerror".Unknown