Files
T
mukul975 c47eed6a64 Production hardening: security fixes, code quality, 724 skills complete
- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
2026-03-19 13:26:49 +01:00

76 lines
2.2 KiB
Markdown

# API Reference: Email Security (SPF/DKIM/DMARC)
## dnspython TXT Query
```python
import dns.resolver
answers = dns.resolver.resolve("example.com", "TXT")
for rdata in answers:
txt = b"".join(rdata.strings).decode("utf-8")
```
## SPF Record Format
```
v=spf1 [mechanisms] [qualifier]all
```
| Mechanism | Example | Description |
|-----------|---------|-------------|
| `include:` | `include:_spf.google.com` | Include other SPF record |
| `ip4:` | `ip4:203.0.113.0/24` | Allow IPv4 range |
| `ip6:` | `ip6:2001:db8::/32` | Allow IPv6 range |
| `a:` | `a:mail.example.com` | Allow A record IP |
| `mx:` | `mx:example.com` | Allow MX record IPs |
| `redirect=` | `redirect=_spf.example.com` | Redirect to another SPF |
| Qualifier | Meaning | Effect |
|-----------|---------|--------|
| `-all` | Fail | Reject unauthorized senders |
| `~all` | Softfail | Accept but mark |
| `?all` | Neutral | No policy |
| `+all` | Pass | Allow all (insecure) |
**Limit**: Max 10 DNS lookups (includes, a, mx, ptr, exists, redirect).
## DKIM Record Query
```
{selector}._domainkey.{domain} TXT
```
```
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEB...
```
| Tag | Description |
|-----|-------------|
| `v` | Version (DKIM1) |
| `k` | Key type (rsa, ed25519) |
| `p` | Public key (Base64) |
| `t` | Flags (y=testing, s=strict) |
Common selectors: `google`, `default`, `selector1`, `selector2`, `k1`, `mail`, `dkim`, `s1`, `s2`, `mandrill`, `smtpapi`
## DMARC Record Query
```
_dmarc.{domain} TXT
```
```
v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100
```
| Tag | Values | Description |
|-----|--------|-------------|
| `p` | none/quarantine/reject | Policy for domain |
| `sp` | none/quarantine/reject | Subdomain policy |
| `pct` | 0-100 | Percentage of messages to apply policy |
| `rua` | mailto:URI | Aggregate report destination |
| `ruf` | mailto:URI | Forensic report destination |
| `adkim` | r/s | DKIM alignment (relaxed/strict) |
| `aspf` | r/s | SPF alignment (relaxed/strict) |
## Risk Scoring
| Condition | Score |
|-----------|-------|
| No SPF record | +40 critical |
| SPF +all | +40 critical |
| SPF ~all | +10 medium |
| No DKIM | +25 high |
| No DMARC | +40 critical |
| DMARC p=none | +25 high |
| DMARC pct < 100 | +10 medium |