Spfcheck v0.10.0

Changelog View Source

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[0.10.0] - 2022-03-27

changed

  • duration of an SPF policy evaluation is now in milliseconds, rather than seconds
  • duration is now also logged at info level for each SPF record evaluated
  • each SPF txt record's length is logged at the info level & included in spf report section

fixed

  • -r d report now outputs valid entries first (not all), followed by problematic dns entries
    • so no more double entries in the reporting output

[0.9.2] - 2022-01-08

fixed

  • csv output now escapes quotes in a string value

changed

  • switched to testsuite rfc7208-tests.yml which appears to be newer and has more tests.
  • in case of a syntax error, also log the verdict on stderr

[0.9.1] - 2022-01-07

fixed

  • digraph, links from include/redirect's with macros now link to the expanded name
  • digraph, macro expansion of nested records should use the original ip and sender parts

changed

  • digraph, include local part of sender in evaluation result on top of the graph
  • digraph, use the DNS cache when generating a digraph for an SPF policy
  • digraph, include/redirect to a non-SPF record should say so (not just be empty)

[0.9.0] - 2022-01-03

added

  • -b, --batch N flag to run Nx SPF evaluations concurrently when in batch mode
  • -T, --timeout N flag to set the timeout for DNS queries

changed

  • also log the final verdict, not just the intermediate verdicts

[0.8.1] - 2021-12-26

fixed

  • cacheing a DNS response of :servfail, should not include the entire dns_msg as well
    • darn! should've checked this when refactoring the Spf.DNS module

[0.8.0] - 2021-12-26

added

  • info message when an SPF record is tracking sender IP, EHLO and/or sender IP validated name.

changed

  • dot representation of an SPF record only shows the AST created
    • "v=spf1" was added automatically since it is not part of the AST
    • but this was confusing in cases where no SPF record was found
  • when generating zonedata for rfc7208's testsuite omit CNAME and SOA records
    • they're not used in the testsuite anyway
  • specifying zonedata to pre-load, dropped the domain error format
    • records are no longer autogenerated
    • this was actually logic from rfc7208's testsuite
    • not needed by Spfcheck itself

fixed

  • when updating the DNS cache with an error, it now replaces any existing rrdata
  • queries for cached domain names with circular CNAME references, now yield :servfail
  • dot file generation does not choke when no SPF records were found
  • reporting on DNS data gathered now outputs any soa records properly
  • authority search ignores CNAME results to find real SOA for given domain
    • the real SOA being the zone that contains the record for original search name

[v0.7.1] - 2021-12-21

fixed

  • loop detection (had some false positives)

[v0.7.0] - 2021-12-18

added

  • syntax error messages now also list reasons for the errors
  • warning if ip4/ip6 mechanism actually mask host bits (i.e. address != this-network)
  • warning if exists' domain is same as current SPF domain (which is unusual)
  • warning if an unknown modifier has a mechanism name (an easy mistake)

fixed

  • leading zero's in ip4/6 prefix lengths is actually a syntax error
  • empty macro-string in an unknown modifier is actually legal
  • %{t} now expands to timestamp (UNIX epoch time)
  • unknown modifiers cannot use c,r,t-macros, they're only valid in an explain-string

changed

  • removed dependency on nimble_parsec
  • DNS MECH counter shown at info level (was debug level)
  • logs use uniform format: "term - message" format as much as possible
  • redundant entry message now lists only the uniquely overlapping terms

[v0.6.0] - 2021-12-01

added

  • report option "g" to include a graphviz di-graph of the SPF policy
  • warning when default '+'-qualifier is used in mechanisms

changed

  • a less confusing redundant-warning replaces the multiple-entries warning
  • inconsistent warnings now report only the terms inconsistent with current term
  • more consistent formatting of logging and verdict's reason

[v0.5.0] - 2021-11-28

added

  • --nameserver flag to customize which nameservers to use via IPv4 and/or IPv6 addresses
  • --author flag to set author information in markdown metadata
  • --title flag to set title information in markdown metadata

[v0.4.0] - 2021-11-27

changed

  • prefixes are stored on exact match, not longest prefix match
  • multiple entries warning now means the exact same prefix was seen multiple times

added

  • unreachable-warning when new prefix is subnet of an existing supernet
  • overlapping-warning when new prefix is supernet of an existing subnet
  • inconsistent-warning for overlapping prefixes having different qualifiers
  • notifications during context creation

[v0.3.0] - 2021-11-26

changed

  • warning when exceeding 512 chars now shows offending SPF domain name
  • "seen before"-warning changed into "multiple entries"-warning (less confusing)
  • parser errors now correctly logged as :parse-errors instead of :eval-errors

added

  • warning about inconsistent qualifiers in case of multiple entries
  • warning about mx used while domain has null MX record
  • warning for superfluous prefix lengths (/32 resp. /128)
  • warning for zero prefix lengths (/0)

[v0.2.0] - 2021-11-21

Changed

  • verdict output includes owner domain and contact (also in csv-output)
  • ipt logs show spf terms rather than their raw token
  • logging to stderr now shows the domain in front, so redirecting stderr to a log file means the messages can be related to the domain being checked at that time.
  • added warning when ?all or +all is used

Fixed

  • url for rfc7208 test suite
  • use :dns (not :ipt) when logging dns additions to the cache

[v0.1.1] - 2021-11-20

  • Fix url for License badge

[v0.1.0] - 2021-11-20

  • Initial public version