Files
T
mukul975 c47eed6a64 Production hardening: security fixes, code quality, 724 skills complete
- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
2026-03-19 13:26:49 +01:00

2.2 KiB

API Reference: Email Security (SPF/DKIM/DMARC)

dnspython TXT Query

import dns.resolver
answers = dns.resolver.resolve("example.com", "TXT")
for rdata in answers:
    txt = b"".join(rdata.strings).decode("utf-8")

SPF Record Format

v=spf1 [mechanisms] [qualifier]all
Mechanism Example Description
include: include:_spf.google.com Include other SPF record
ip4: ip4:203.0.113.0/24 Allow IPv4 range
ip6: ip6:2001:db8::/32 Allow IPv6 range
a: a:mail.example.com Allow A record IP
mx: mx:example.com Allow MX record IPs
redirect= redirect=_spf.example.com Redirect to another SPF
Qualifier Meaning Effect
-all Fail Reject unauthorized senders
~all Softfail Accept but mark
?all Neutral No policy
+all Pass Allow all (insecure)

Limit: Max 10 DNS lookups (includes, a, mx, ptr, exists, redirect).

DKIM Record Query

{selector}._domainkey.{domain} TXT
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEB...
Tag Description
v Version (DKIM1)
k Key type (rsa, ed25519)
p Public key (Base64)
t Flags (y=testing, s=strict)

Common selectors: google, default, selector1, selector2, k1, mail, dkim, s1, s2, mandrill, smtpapi

DMARC Record Query

_dmarc.{domain} TXT
v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100
Tag Values Description
p none/quarantine/reject Policy for domain
sp none/quarantine/reject Subdomain policy
pct 0-100 Percentage of messages to apply policy
rua mailto:URI Aggregate report destination
ruf mailto:URI Forensic report destination
adkim r/s DKIM alignment (relaxed/strict)
aspf r/s SPF alignment (relaxed/strict)

Risk Scoring

Condition Score
No SPF record +40 critical
SPF +all +40 critical
SPF ~all +10 medium
No DKIM +25 high
No DMARC +40 critical
DMARC p=none +25 high
DMARC pct < 100 +10 medium