Anthropic-Cybersecurity-Skills/skills/implementing-email-security-with-dmarc-dkim-spf/references/api-reference.md

API Reference: Email Security (SPF/DKIM/DMARC)

dnspython TXT Query

import dns.resolver
answers = dns.resolver.resolve("example.com", "TXT")
for rdata in answers:
    txt = b"".join(rdata.strings).decode("utf-8")

SPF Record Format

v=spf1 [mechanisms] [qualifier]all

Mechanism	Example	Description
include:	include:_spf.google.com	Include other SPF record
ip4:	ip4:203.0.113.0/24	Allow IPv4 range
ip6:	ip6:2001:db8::/32	Allow IPv6 range
a:	a:mail.example.com	Allow A record IP
mx:	mx:example.com	Allow MX record IPs
redirect=	redirect=_spf.example.com	Redirect to another SPF

Qualifier	Meaning	Effect
-all	Fail	Reject unauthorized senders
~all	Softfail	Accept but mark
?all	Neutral	No policy
+all	Pass	Allow all (insecure)

Limit: Max 10 DNS lookups (includes, a, mx, ptr, exists, redirect).

DKIM Record Query

{selector}._domainkey.{domain} TXT

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEB...

Tag	Description
v	Version (DKIM1)
k	Key type (rsa, ed25519)
p	Public key (Base64)
t	Flags (y=testing, s=strict)

Common selectors: google, default, selector1, selector2, k1, mail, dkim, s1, s2, mandrill, smtpapi

DMARC Record Query

_dmarc.{domain} TXT

v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100

Tag	Values	Description
p	none/quarantine/reject	Policy for domain
sp	none/quarantine/reject	Subdomain policy
pct	0-100	Percentage of messages to apply policy
rua	mailto:URI	Aggregate report destination
ruf	mailto:URI	Forensic report destination
adkim	r/s	DKIM alignment (relaxed/strict)
aspf	r/s	SPF alignment (relaxed/strict)

Risk Scoring

Condition	Score
No SPF record	+40 critical
SPF +all	+40 critical
SPF ~all	+10 medium
No DKIM	+25 high
No DMARC	+40 critical
DMARC p=none	+25 high
DMARC pct < 100	+10 medium