domain-security-scanner icon indicating copy to clipboard operation
domain-security-scanner copied to clipboard

Published 20 hours ago verified publisher icon GlobalCyberAlliance

GCA Intern: Improve DMARC and SPF advice

Open SeanM-temp opened this issue 1 year ago • 3 comments
trafficstars

Adds additional checks for DMARC and SPF records. DMARC -Check for v=DMARC1 -Check for p= tag -Verify akim and aspf values SPF -Warning for ptr mechanism -Check for exceeding dns lookup limit

SeanM-temp avatar Jul 24 '24 12:07 SeanM-temp

Hey @SeanM-temp, great first PR!

Your DMARC improvements are appreciated; I used your PR as an opportunity to flesh out the existing DMARC tests :)

Your SPF improvements are a good start, though I think the existing functionality can be improved (use the DMARC function as a starting point). Additionally, your "10 DNS lookup limit" advice is actually slightly misunderstood. This limit refers to the DNS lookups needed to validate the SPF record, not the quantity of keys found within the record.

If you're able to improve this validation further, I'll happily merge this :)

wolveix avatar Jul 24 '24 16:07 wolveix

Thanks for the changes, @SeanM-temp!

The existing separation of the advisor and scanner packages does make validating the number of SPF host lookups difficult. The advisor package shouldn't import scanner; however, the custom DNS implementation being outside of the scanner package is difficult. I'll find some time to properly look over your implementation, and see whether we can improve it :)

wolveix avatar Jul 30 '24 18:07 wolveix

Hey @SeanM-temp, apologies that this hasn't been properly reviewed and/or merged yet! I intend to look over it soon :)

wolveix avatar Sep 14 '24 19:09 wolveix