Skip to content

feat: broaden email-auth checker + paste-ready fixes#85

Open
goetchstone wants to merge 1 commit into
mainfrom
feat/domain-health-checks
Open

feat: broaden email-auth checker + paste-ready fixes#85
goetchstone wants to merge 1 commit into
mainfrom
feat/domain-health-checks

Conversation

@goetchstone

Copy link
Copy Markdown
Owner

What

Broadens /tools/dmarc-check from "DMARC/SPF/DKIM" into a fuller email-auth pass, so one run qualifies a domain end-to-end. Same URL — today's JSON-LD/OG work keeps its equity.

New checks — all pure DNS, no new attack surface

MTA-STS (_mta-sts), TLS-RPT (_smtp._tls), BIMI (default._bimi). Reported as optional hardening and deliberately not scored — a domain without BIMI isn't insecure, it's just not decorated.

DMARC, done properly

  • Parses pct / sp, and detects multiple DMARC records (which receivers must ignore — publishing two is worse than one).
  • The score now gates on real enforcement: p=reject; pct=0 or p=reject; sp=none no longer reads "Strong" while enforcing nothing.

Paste-ready fixes

Every gap emits the exact DNS record for that domain, tailored to the detected provider (Google → include:_spf.google.com, M365 → include:spf.protection.outlook.com), each with a copy button.

Verified

  • 73 tests pass (28 in dmarc-dns — incl. the pct=0, sp=none, multi-record cases, and prototype-pollution safety on tag parsing, since TXT keys are attacker-supplied)
  • tsc --noEmit + npm run build clean
  • Live run against akritos.com: score 100, DMARC p=quarantine enforcing=true, DKIM found via the dreamhost selector, and it correctly flagged MTA-STS/TLS-RPT as missing and generated both records.

Also: added MailChannels to MX detection (verified — it's akritos.com's actual MX), and dropped the unreachable DKIM warn branch that tsc surfaced once the type was made honest.

Not in this pass — deliberately

DNSSEC (needs DNS-over-HTTPS), the MTA-STS policy file, TLS cert expiry, and security headers all require our server to make outbound requests to a user-supplied host — a real SSRF surface that deserves its own pass with proper guards, not a bolt-on.

🤖 Generated with Claude Code

Adds MTA-STS/TLS-RPT/BIMI, parses DMARC pct/sp so a reject-at-pct=0
record stops scoring Strong, and emits paste-ready DNS records per
gap — the lead-qualifying pass in one run.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant