web-check icon indicating copy to clipboard operation
web-check copied to clipboard

Published 20 hours ago verified publisher icon Lissy93

Email Configuration bad results

Open Clemv95 opened this issue 1 year ago • 4 comments

I tried with my own domain , i have dmarc, spf and dkim, but web check show only spf I think this is because of the library used, dns, that only show the txt record of spf for a reason that i dont know Maybe change the library for dkim and dmarc

Clemv95 avatar Nov 28 '23 10:11 Clemv95

The issue comes in where dns.resolveTxt(domain) only looks at TXT records assigned to the domain. So for 'example.com' it will only show records aligning with 'example.com'. DMARC and DKIM are assigned to different DNS names, so for DKIM it is "selector._domainkey.example.com" and DMARC is (I believe) "_dmarc.example.com". Same for BIMI as it's scoped as well: "selector._bimi.example.com".

Getting DMARC should be relatively simple in that an additional request for this record @ "_dmarc." + domain. But for accurate BIMI and DKIM, the selector would need to be identified.

I don't think there's a way for node to get "._domainkey" for each domain in order to get all DKIM keys. Same is true for BIMI's need for "._BIMI". So without an additional piece of information, I think this tool will always provide red X for all DKIM/BIMI information.

traeblain avatar Dec 11 '23 20:12 traeblain

is there a fix for this or should it simply not be considered accurate?

hernanpopper avatar Feb 21 '24 22:02 hernanpopper

I agree with @traeblain. DMARC could be fixed quite easily but it's not possible to enumerate DKIM and BIMI selectors without using exhaustive search (basically brute-forcing all possible DKIM/BIMI selectors or using dictionary search).

@Lissy93 Considering these 3 metrics currently don't provide correct results, I would propose to at least remove DKIM and BIMI and to fix DMARC.

andreasbrett avatar Feb 29 '24 11:02 andreasbrett

I generally agree with the discussions of my predecessors. For DMARC and BIMI, at least the standard values should be parsed (v=DMARC1 and v=BIMI1). The situation with DKIM is somewhat more complicated without the information about which selector the entry corresponds to. To find this out, I will at least use the most common selectors from mail providers (google, gogle1024, google2048...) and so on. Various lists circulate on the internet that offer at least a starting point for this. If there is no match, then a notification should be issued that either the selector does not exist or cannot be found. I must also say that I am very pleased with the project, and even now, it provides a wealth of information.

Ech0b1t avatar Mar 08 '24 11:03 Ech0b1t