js.org icon indicating copy to clipboard operation
js.org copied to clipboard
verified publisher icon js-org

Email Security policies

Open dotBATmanNO opened this issue 3 months ago • 6 comments

What: js.org and (many of) its subdomains fail to restrict attackers from sending fraudulent e-mails.

Why: The main js.org domain has a DMARC policy of "none" Subdomains, such as npm.js.org, fail to specify both SPF and DMARC

Impact Fraudulent e-mails can have an impact on

  • Integrity; The attackers can exploit the trust js.org (and subdomains) holds with all of the contributors, this trust could deteriorate.
  • Availability; Sites that have been abused for spam or phishing will be blocked in spam filters, this could trigger the domains to be blocked by firewalls as "malicious".

More information: A lot of resources offer strong advice on e-mail security policies, One such service is https://internet.nl

  • Tests: https://internet.nl/mail/js.org/1609358/, https://internet.nl/mail/npm.js.org/1609360/
  • Knowledge base: https://internet.nl/faqs/mailauth/

dotBATmanNO avatar Sep 12 '25 10:09 dotBATmanNO

👀 I don't believe we allow any MX records, and therefore any mail, on JS.org subdomains. I wonder if we should add a wildcard record for SPF/DMARC to indicate as such, @indus?

MattIPv4 avatar Sep 12 '25 16:09 MattIPv4

@MattIPv4 you are correct - there are only a very small number of adresses to receive email but not to send.

I have just added those two records to JS.ORGs zonefile:

Type Name Value
TXT @ v=spf1 -all
TXT _dmarc v=DMARC1; p=reject; pct=100; rua=mailto:re+···········@dmarc.postmarkapp.com; sp=reject; aspf=s;

I confirmed that [email protected] still receives emails, but I’m not entirely sure how to verify that this change fully resolves the security issue. Since I don’t have deep knowledge of the subject (and honestly don’t want to go through all the reference material), I’ll have to rely on AI—or your judgment, @dotBATmanNO.

indus avatar Sep 12 '25 20:09 indus

Thanks for a very fast response to this Issue, apologies for the late reply.

First:

  • You are stepping up DMARC to a very strong level, this will impact outgoing email - hopefully only spoofed email. This should not be a problem if you do not send emails from here.
  • DMARC is setup to allow hardening over time, a recommended approach is to go from p=none through p=quarantine before you end up at p=reject.
  • Also, the best practice is to step up the pct from 0 to 100 in increments as long as the DMARC reports are not indicating any legitimate emails being rejected.

With that said, if you are not worried about blocking any outbound emails, I want to note that the new TXT record for _dmarc is enveloped in curly brackets { }, this unfortunately invalidates the record. If you remove those you should have a much stronger set of email policies in place.

Please let me know if I can assist in any other way. And thanks again for your prompt response!

dotBATmanNO avatar Sep 14 '25 12:09 dotBATmanNO

@dotBATmanNO Thanks for your help with this. Regarding your first points - there are no outbound emails at all. So to my understanding going to the strictest settings directly shoudl be fine.

I can't really explain why you have seen curly brackets. But I just noticed that I had two _dmarc records in the zonefile - maybe thats the reason. I've now changed that and regarding this tool it should be fine: https://mxtoolbox.com/SuperTool.aspx?action=dmarc%3ajs.org&run=toolpage

Thanks for pointing me to this issue.

indus avatar Sep 14 '25 16:09 indus

I see the policies in place and working now. Super! (The "curly brackets" I mentioned was my script returning an array of two _DMARC records which, as you noticed, is not supported.)

With your new DMARC policy in place I would recommend looking at the Cloudflare DMARC console if there are any reported issues.

You should see reports of anyone trying to send emails from js . org.

  • Visibility into abuse: The DMARC console will let you know if someone is trying to spoof your domain.
  • Feedback loop: If legitimate services accidentally send email using your domain (e.g., misconfigured third-party tools), you will be alerted and can correct the issue

dotBATmanNO avatar Sep 15 '25 10:09 dotBATmanNO

@dotBATmanNO informed me via email that the new setup is still insufficent when it comes to subdomains:

Problem

  • Stronger email security policies for js.org don’t apply to subdomains → open to abuse.
  • Cloudflare DMARC management only supports apex domains.
  • SPF records aren’t inherited → must be set per subdomain.

Proposal

  • Keep DMARC on apex.
  • Remove inherited subdomain policy.
  • Add SPF + DMARC individually per subdomain

As this would require an automatic process to keep the overhead reasonable I put this on hold for now.

indus avatar Sep 17 '25 14:09 indus