Skip to content

Latest commit

 

History

History
978 lines (668 loc) · 21.8 KB

CHANGELOG.md

File metadata and controls

978 lines (668 loc) · 21.8 KB

Changelog

5.7.9

  • Add an error message to ["bimi"]["image]["error"] instead of ["bimi"]["warnings"] when a BIMI image download fails
  • Add an error message to ["bimi"]["certificate]["error"] instead of ["bimi"]["warnings"] when a BIMI certificate download fails

5.7.8

  • Move SVG validation errors from ["bimi"]["warnings"] to ["bimi"]["image"]["validation_errors"] (#150)

5.7.7

  • Fix VMC validation errors not appearing (close #149)

5.7.6

  • Fix crash when trying to output to CSV format

5.7.5

  • Fix BIMI lookup for subdomains that do not have a BIMI record (fixes #148)

5.7.4

  • Add additional checks for tiny-ps SVG requirements

5.7.3

  • BIMI images and mark certificates
    • Better error handling
    • Simplified warning messages
    • sha256_hash output fields renamed to sha256

5.7.2

  • Account for float SVG sizes

5.7.1

  • Properly parse a certificate SAN
  • Certificate warnings fire properly
  • Make the expires timestamp more readable

5.7.0

checkdmarc will now validate Verified Mark Certificates (VMCs) and Common Mark Certificates (CMC), snd will verify that SHA256 hash of the logo embedded in the certificate matches the SHA256 hash logo at the URL at the BIMI l tag.

Additionally, SVG and certificate metadata is now included in the checkdmarc.bimi.parse_bimi_record() API and JSON CLI output.

5.6.2

  • Add a warning when BIMI records do not provide a mark certificate
  • Ude the correct dependency (xmltodict, not xml2dict)

5.6.1

  • Fix SVG base profile detection

5.6.0

  • Automatically check for a BIMI DNS record at the default selector when using the CLI
  • Fix parsing of BIMI record tags when they are separated by a ; without a space
  • Validate the file at the URL in the BIMI l tag value
    • Must be an SVG file
    • The SVG version must be 1.2
    • The SVG base profile must be tiny-ps
    • The SVG dimensions must be square
    • The file size must not exceed 32 KB

Note: This does not currently include certificate validation.

5.5.1

  • SPF record validation fixes (PR #147)
    • Accept mechanisms with domains that start with all (Fixes #145)
    • Ignore multiple trailing mechanisms and random text with spaces

5.5.0

  • Support redirect in SPF (PR #144)

5.4.0

  • Fix TLS/STARTTLS check (Fixes issue #138)
  • Consider tls: true if starttls: true
  • Handle records not existing if ignoring unrelated records (PR #131 fixes #130)
  • Query the base domain if a DMARC record is not found at the subdomain (PR #132)
  • Do not accept include= in the SPF record (PR #134 fixes issue #134)
  • Fix DNSSEC cache (PR #136 Fixes issue #137)
  • Fixed checking whether there is some text after all SPF directive (PR #139)

5.3.1

  • Ignore UnicodeDecodeError exceptions when querying for TXT records (close #124)

5.3.0

  • Check DNSSEC on MX hostnames
  • USE DNSSEC when requesting DNSKEY records

5.2.7

  • Do not require an RRSIG answer when querying for DNSKEY records
    • On Windows and macOS, querying for a DNSKEY record on proton.ch will return a RRSET and RRSIG. However, running the same query on Debian-based Linux will only return a RRSET
  • Pass in nameservers and timeout when running get_dnskey recursively

5.2.6

  • Revert change introduced in 5.2.4 that caused the DNSSEC test to always return True
  • Test for multiple RDATA types when testing DNSSEC
  • Properly cache DNSSEC test results

5.2.5

  • Properly cache DNSKEY answers

5.2.4

  • Workaround DNSSEC testing bug in Debian for some domains
    • On Windows, querying for a DNSKEY record on proton.ch will return a RRSET and RRSIG. However, running the same query on Linux will only return a RRSET, but will return a RRSET and RRSIG if another record type is requested, such as A

5.2.3

  • Fix exception handling for query_mta_sts_record
  • Fix exception handling for query_smtp_tls_reporting_record

5.2.2

  • Better exception handling for query_mta_sts_record
  • More verbose debug logging

5.2.1

  • Fix bug where TLSA records would not be checked in some cases
  • Improved debug logging

5.2.0

  • Check for TLSA records

5.1.0

  • Add support for parsing SMTP TLS Reporting (RFC8460) DNS records

5.0.2

  • Fix DNSSEC test
    • Add missing import dns.dnssec
    • Always use the actual subdomain or domain provided (close #114)

5.0.1

  • Include MTA-STS and BIMI results in CSV output
  • Renamed include_dmarc_tag_descriptions parameter in checkdmarc.check_domains() to include_tag_descriptions
  • Added the include_tag_descriptions parameter to checkdmarc.bimi.check_bimi()
  • Ignore encoding value when checking the Content-Type header during the MTA-STS policy download
  • Added the exception class MTASTSPolicyDownloadError
  • Update documentation

5.0.0

  • Major refactoring: Change from a single module to a package of modules, with each checked standard as its own package
  • Add support for MTA-STS RFC 8461
  • Add support for BIMI
    • Specify a BIMI selector using the --bimi-selector/-b option
  • Various bug fixes

4.8.5

  • Fix SPF query error and warning messages
  • More clear fo tag warning (PR #106)
  • Do not raise a DMAECRecordNotFound exception when the MultipleDMARCRecordsException is raised (PR #108)
  • Add support for null MX records - RFC 7505 (PR #109)

4.8.4

  • Make DMARC retorting URI error messages more clear (PR #104)

4.8.3

  • Fix compatibility with Python 3.8

4.8.2

  • SPFRecordNotFound exception now includes a domain argument (PR #103)
  • The DMARC missing authorization error message now includes the full expected DNS record
  • Lots of code cleanup
  • Added missing docstrings

4.8.1

  • get_base_domain() will return the input string instead of None if it can't parse a domain
  • Always use the base domain when testing DNSSEC

4.8.0

  • Fix DNSSEC test
  • Do not treat include mechanisms with macros as domains (Close issue #81)
  • Add DMARCRecordStartsWithWhitespace exception (PR #97)
  • Properly parse DMARC and BIMI records for domains that do not have an identified base domain (PR #98)
  • Add ignore_unrelated_records argument to query_dmarc_record() (Slight modification of PR #99 - Close issue #91)
  • Mark syntax error positions (Slight modification of PR #100)

4.7.0

  • Break up code into smaller methods (PR #93)

4.6.0

  • Replace publicsuffix2 with publicsuffixlist (PR #92)

4.5.2

  • Maintain the original character case of the DMARC record
  • Always treat tag names as lowercase
  • Always treat the DMARC v tag value as if it was uppercase
  • Always treat the DMARC p, and fo tag values as if they were lowercase
  • Always treat URI schemes as lowercase, but maintain the case of the address
  • Remove inaccurate testInvalidDMARCfo test

4.5.1

  • Ignore case and whitespace when parsing DMARC and BIMI key=value pairs (Closes #75)
  • Handle missing PTR records more gracefully (Closes #64)
  • Redundant DMARC fo tag values now result in a warning instead of a syntax error (Closes #71)

4.5.0

  • Detect non-trivial loops (PR #88)
  • Raise a SPFSyntaxError exception when an IP address and IP version do not match (PR #87)
  • Fix raising the DMARCRecordNotFound exception when a DMARC record does not exist (PR #86 closes issue #72)
  • Add void lookup limit (PR #85)
  • Add Support for User Defined DNS Resolver Object (PR #83)

4.4.4

  • Fix DNS caching (issue #79 PR #80)

4.4.3

  • Fix tarball build (#78)

4.4.2

  • Fix CSV output
  • Always parse RUA and RUF fields, even if other parts of the record are invalid (PR #74)
  • Convert documentation to markdown
  • Migrate build from setuptools to hatch
  • Migrate automated testing from Travis CI to GitHub Actions

4.4.1

  • Pass in nameserver and timeout parameters when calling get_reverse_dns() (Actually close issue #59)

4.4.0

  • Use the system's DNS resolvers by default
  • Make DMARC report destination errors warnings instead of fatal errors (Closes issue #54)
  • Honor nameserver and DNS timeout settings when querying for PTR records (Closes issue #59)
  • Separate TLS and STARTTLS checks (Closes issue #56)
  • Fix false positive SPF redirect loop error (Closes issue #55)
  • Require the p tag to immediately follow the v tag (Closes issue #57)

4.3.1

  • Loosen IP address checks (PR # 53)

4.3.0

  • Include nameservers in call to check_wildcard_dmarc_report_authorization (PR #51)
  • Fix ipv4 validation and add ipv6 validation (PR #52)
  • Fix User-Agent string

4.2.4

  • Fix publicsuffix2 minimum version

4.2.3

  • Fix Python 3.4 support

4.2.2

  • Fix warning introduced in newer versions of publicsuffix2 (closes issue #46)
  • Set minimum dependency requirements (closes issue #47)

4.2.1

  • Fix typo in Office 365 MX record verification warning

4.2.0

  • Add test for DNSSEC (closes issue #44)
  • Ignore SPF record content after the all mechanism (closes issue #45)
  • Use UDP instead of TCP for DNS queries
  • Reduce default DNS timeout from 6.0 seconds to 2.0 seconds
  • Require dnspython>=1.16.0

4.1.10

  • Make SPF mechanisms and modifiers case-insensitive, in compliance with RFC 7208, sections 4.6.1 and 12 (#42)
  • Raise a warning instead of an error when an MX hostname does not exist
  • Raise a specific warning when an Office 365 MX domain validation record is detected

4.1.9

  • Fix typo in DMARC authorization record warning (#38)
  • Add support for validating wildcard DMARC report authorization records
  • Support reserved TLDs in get_base_domain() (#39)

4.1.8

  • Still check STARTTLS when reverse DNS lookup fails
  • Disable STARTTLS/TLS checks when running on Windows to avoid timeout_decorator Windows incompatibility

4.1.7

  • Better DNS exception handling
  • Show errors instead of warnings when checking NS and MX records for non-existent domains

4.1.6

  • Fix TLS/STARTTLS failure output

4.1.5

  • Add warning if MX hosts are missing A or AAAA records

4.1.4

  • Timeout SMTP TLS check after 5 seconds

4.1.3

  • Debug output fixes

4.1.2

  • Fix --skip-tls option
  • Replace publicsuffix with publicsuffix2

4.1.1

  • Fix tls and starttls CSV fields

4.1.0

  • Test for SSL/TLS over port 465 if STARTTLS is not supported
  • Fix display of SSL/TLS errors

4.0.2

  • Improve STARTTLS test

4.0.1

  • Add option to CLI and API to skip STARTTLS testing
  • Fix CSV output
  • Fix debug logging
  • Documentation fixes

4.0.0

  • Refactor API and CLI

3.1.2

  • Save public_suffix_list.dat to a temporary folder instead of the current working directory (CWD)
  • Emulate a browser HTTP User-Agent string when downloading public_suffix_list.dat
  • Add requirement requests
  • Change list separator within CSV fields from , to |

3.1.1

  • Fix returning STARTTLS results upon exception

3.1.0

  • Fix debug output
  • Fix crash when checking domains with more than 10 MX records
  • Cache STARTTLS failures
  • Add warning for duplicate hostnames in MX records
  • Increase cache sizes
  • Disable check for SPF records on MX hostnames - too noisy

3.0.3

  • Catch BlockingIOError exception when testing STARTTLS
  • Add warning if PTR records for MX do not match the hostname's A/AAAA records

3.0.2

  • Use output path file extension to set output format

3.0.1

  • Use substrings for matching approved 'MX' and 'NS' records, rather than the full string

3.0.0

  • Add get_nameservers() to the API
  • Add NS record lookup to output as ns
  • Add --ns option to CLI for listing approved nameservers

2.9.2

  • Fix --mx CLI option

2.9.1

  • Bugfix: STARTTLS caching
  • Add MX warnings for parked domains
  • Increase default DNS timeout from 2.0 seconds to 6.0 seconds

2.9.0

  • Bugfix: CSV format -f csv for starttls header
  • Bugfix: Always properly close an SMTP connection
  • Cache DNS and STARTTLS results in memory
  • Use python3 in docs Makefile for Sphinx build
  • Add --debug option
  • Make warning about proper SPF records for MX hosts an only show with --debug (Very noisy - Many hosts use DKIM without SPF to DMARC align bouncebacks)

2.8.0

  • Bugfix: Always raise warning when SPF type DNS records are found
  • Add check for proper SPF records for MX hosts
  • Add check for STARTTLS
  • Add option -p/--parked to check for best practices for parked domains
  • Add option --mx to provide a list of approved MX hostnames
  • Add query_bimi_record() to the API

2.7.3

  • Fix parsing of TXT records over multiple lines (PR #36)

2.7.2

  • Fix false-negative SPF validation of ipv4 mechanisms with a single digit CIDR notation (PR #35)

2.7.1

  • Fix false-negative SPF and DMARC validations

2.7.0

  • Fix report destination verification

2.6.3

  • Reduce default DNS timeout to 2.0 seconds
  • Always use \n as the newline when generating output

2.6.2

  • Properly concatenate multi-line TXT records

2.6.1

  • Fix exception generation

2.6.0

  • Refactored DMARCError and SPFError exceptions to support adding data to the results (seanthegeek)
  • Close #18 - include dns_lookups in spf results when number of SPF lookups are exceeded (seanthegeek)
  • Added timeout rounding to the Exception classes (malvidin)
  • Refactored DMARCError and SPFError exceptions to support adding data to the results (seanthegeek)
  • Close #18 - include dns_lookups in spf results when number of SPF lookups are exceeded (seanthegeek)
  • Added timeout rounding to the Exception classes (malvidin)

2.5.1

  • PEP 8 fixes

2.5.0

  • Close #32 - Raise SPFSyntaxError when an invalid value is encountered for an ip4SPF mechanism
  • Close #33 - Add python3 setup.py sdist to build.sh, and publish source distribution to PyPI

2.4.0

  • Close #31 - Public Suffix List checked before list is available (malvidin)
  • Decrease precision of DNS timeout (malvidin)
  • Close #15 - Add sorting of A/AAAA records (malvidin)
  • Add basic logging of runtime warnings (seanthegeek)

2.3.0

  • Use Cloudflare's DNS resolvers by default

2.2.0

  • Fix DMARC record location when subdomain is missing record
  • Fix typos

2.1.15

  • prefix . to public_suffix_list.dat

2.1.14

  • Fix typo in help

2.1.13

  • Treat pct < 1 as invalid
  • Issue warning if there are more than two URIs for rua or ruf (separate count)

2.1.12

  • Allow whitespace in DMARC values

2.1.11

  • Actually fix DMARC rua and ruf CSV output

2.1.10

  • Fix DMARC rua and ruf CSV output

2.1.9

  • More exception handling fixes

2.1.8

  • Fix DNS report destination verification error message

2.1.7

  • Yet more DNS error handling

2.1.6

  • More DNS SERVFAIL handling
  • More descriptive warning if DMARC pct < 100

2.1.5

  • Handle DNS failures better

2.1.4

  • Properly handle a useless DMARC record at the root of a domain

2.1.3

  • Use correct example output in documentation
    • Replace accenture.com output from debugging with fbi.gov output
    • That's what I get for copy/pasting without reading :(

2.1.2

  • Raise an error when multiple spf1 TXT records are found

2.1.1

  • Fix external DMARC report destination validation
  • Update sample output in documentation

2.1.0

  • Improve DMARC regex for edge cases
  • Use Organizational Domain when checking DMARC URI destination
  • Simplify exceptions
  • Refactor dome method return values
  • Add more unit tests
  • Many documentation improvements and fixes
  • PEP 8 compliant

2.0.0

  • Check for misplaced DMARC records
  • Update documentation
  • Write unit tests and deploy CI (#12)

1.8.1

  • Fix a bug that causes all DMARC lookups to fail
  • First unit tests

1.8.0

  • Fix SPF loop false-positives (#20)
  • Use the base/organizational domain name when validating DMARC report destinations (#21)
  • Add more granular exception classes in preparation for unit tests in 2.0.0

1.7.10

  • Fix SPF regex regression

1.7.9

  • Make DMARC p required, as specified in the RFC
  • Improve SPF regex and syntax error details

1.7.8

  • Update mailto regex to accept single char mailbox names
  • Clarify DMARC tag and value descriptions
  • Pass in nameservers and timeout when querying for MX records

1.7.7

  • Fix sample command in documentation

1.7.6

  • Raise an error instead of a warning when DMARC reporting URIs cannot receive reports about a domain

1.7.5

  • Fix JSON output structure or included/redirected SPF records

1.7.4

  • Fix typo in error message

1.7.3

  • Detect Requests for _dmarc records that actually return SPF records
  • Correct documentation for get_mx_hosts(domain, nameservers=None, timeout=6.0)

1.7.2

  • Update output sample in documentation

1.7.1

  • Change in JSON structure - Separate DMARC URI scheme and address to better support potential future URI schemes

1.7.0

  • Change in JSON structure - Parse mailto: DMARC URIs, including size limits (if any)
  • More granular Exception classes
  • Updated documentation

1.6.1

  • Refactor and simplify DNS queries

1.6.0

  • Properly look for DMARC records in base/organizational domains
  • Properly count DNS lookups for SPF
  • Update sample output in the documentation

1.5.4

  • Remove faulty ruf tag warning

1.5.3

  • Fix another show-stopping bug :(

1.5.1

  • Fix show-stopping bug

1.5.0

  • Turn rua and ruf tag values in to lists
  • Fix conversion of lists to strings in CSVs
  • Raise DMARCWarning if the value of the pct tag is less than 100
  • Raise DMARCError if the value of the pct tag is less than 0 or greater than 100

1.4.0

  • Proper parsing of DMARC tags fo and rf

1.3.8

  • Improve regex for the DMARC mailto: URI
  • __version__ only needs to be updated in one place now
  • Fix docstring formatting

1.3.7

  • Properly handle DMARC records that are made up of multiple strings

1.3.6

  • Allow input file to be a CSV where the domain is the first field; all other fields are ignored
  • Better handling of invalid DMARC values

1.3.5

  • Rearrange the order of the CSV fields to that the longest entries are to the right
  • Documentation improvements
  • Fix external DMARC report destination validation
  • Count each MX resource record once

1.3.3 and 1.3.4

  • Clarify warning messages

1.3.2

  • Pass timeout in for SPF queries when outputting in CSV format
  • Raise default timeout to 6 seconds

1.3.1

  • Only include hostname in mx SPF mechanism results

1.3.0

  • Show MX preference in output
  • Sort MX records by preference
  • Mark package as supporting Python 3 only (Python 2 was never actually supported because Pyleri does not support it)
  • Removed all previous versions from PyPI so someone doesn't think Python 2 was supported when it never was

1.2.1

  • Change default timeout to 4 seconds
  • Use ; to delimit warnings and MX records in CSV format

1.2.0

  • Add MX warnings to output

1.1.1

  • Fix DMARC warning CSV output

1.1.0

  • Separate SPF MX record limit from SPF DNS mechanism limit
  • Fix DMARC CSV output

1.0.12

  • Fix more SPF exceptions

1.0.11

  • Fix SPF exceptions

1.0.10

  • Fix DMARC record discovery
  • Rename mx domain key to hostname
  • Add example output to README

1.0.9

  • Fix PyPI readme display

1.0.8

  • Fix typos
  • Add MX records to output

1.0.7

  • Fix --timeout/-t option
  • Add --wait/-w option

1.0.6

  • Make SPF loops errors instead of warnings
  • Check SPF records for redirect loops

1.0.5

  • Ignore blank lines/domains in input

1.0.4

  • Include the DMARC organizational domain in JSON and CSV output
  • Change CSV field order for readability
  • Make JSON output order consistent
  • Resolve SPF redirect
  • Put include results in a JSON list
  • Count exists SPF mechanisms in the overall SPF query limit
  • Make a SPF mechanisms count as one lookup instead of two
    • checkdmarc actually makes two queries per a mechanism, one for A records, and one for AAAA records. However, RFC 7208, Section 1.6.4 only mentions counting the mechanisms that use lookups (i.e. mx, a, exists, include, and redirect), and including each MX record returned in the overall count, (since those in turn will need to be resolved). This aligns checkdmarc with 3rd party SPF validators at MxToolbox and DMARC Analyzer

1.0.3

  • Removed from PyPI due to bugs
  • Subdomains inherit the DMARC record of the organizational domain

1.0.2

  • Removed from PyPI due to bugs
  • Validate existence of MX amd A/AAAA records
  • Add a --timeout/-t option
  • Improve DMARC record syntax validation
  • Check for SPF include loops
  • Validate rua and ruf URIs
  • Fail SPF validation if query limit reached RFC 7208, Section 1.6.4

1.0.1

  • First release on PyPi (since removed due to bugs)

1.0.0

  • Initial commit to GitHub