def is_spf_record_strong(domain):
strong_spf_record = True
spf_record = spflib.SpfRecord.from_domain(domain)
if spf_record is not None and spf_record.record is not None:
output_info("Found SPF record:")
output_info(str(spf_record.record))
strong_all_string = check_spf_all_string(spf_record)
if strong_all_string is False:
redirect_strength = check_spf_redirect_mechanisms(spf_record)
include_strength = check_spf_include_mechanisms(spf_record)
strong_spf_record = False
if redirect_strength is True:
strong_spf_record = True
if include_strength is True:
strong_spf_record = True
else:
output_good(domain + " has no SPF record!")
strong_spf_record = False
return strong_spf_record
def is_spf_record_strong(domain):
strong_spf_record = True
spf_record = spflib.SpfRecord.from_domain(domain)
if spf_record is not None and spf_record.record is not None:
output_info("Found SPF record:")
output_info(str(spf_record.record))
strong_all_string = check_spf_all_string(spf_record)
if strong_all_string is False:
redirect_strength = check_spf_redirect_mechanisms(spf_record)
include_strength = check_spf_include_mechanisms(spf_record)
strong_spf_record = False
if redirect_strength is True:
strong_spf_record = True
if include_strength is True:
strong_spf_record = True
else:
output_good(domain + " has no SPF record!")
strong_spf_record = False
return strong_spf_record
def check_spf_redirect_mechanisms(spf_record):
redirect_domain = spf_record.get_redirect_domain()
if redirect_domain:
output_info(f"Processing an SPF redirect domain: {redirect_domain}")
return is_spf_record_strong(redirect_domain)
else:
return False
def is_spf_redirect_record_strong(spf_record):
output_info("Checking SPF redirect domian: %(domain)s" % {"domain": spf_record.get_redirect_domain})
redirect_strong = spf_record._is_redirect_mechanism_strong()
if redirect_strong:
output_bad("Redirect mechanism is strong.")
else:
output_indifferent("Redirect mechanism is not strong.")
return redirect_strong
def are_spf_include_mechanisms_strong(spf_record):
output_info("Checking SPF include mechanisms")
include_strong = spf_record._are_include_mechanisms_strong()
if include_strong:
output_bad("Include mechanisms include a strong record")
else:
output_indifferent("Include mechanisms are not strong")
return include_strong
def are_spf_include_mechanisms_strong(spf_record):
output_info("Checking SPF include mechanisms")
include_strong = spf_record._are_include_mechanisms_strong()
if include_strong:
output_bad("Include mechanisms include a strong record")
else:
output_indifferent("Include mechanisms are not strong")
return include_strong
def is_spf_redirect_record_strong(spf_record):
output_info("Checking SPF redirect domian: %(domain)s" % {"domain": spf_record.get_redirect_domain})
redirect_strong = spf_record._is_redirect_mechanism_strong()
if redirect_strong:
output_bad("Redirect mechanism is strong.")
else:
output_indifferent("Redirect mechanism is not strong.")
return redirect_strong
def check_spf_redirect_mechanisms(spf_record):
redirect_domain = spf_record.get_redirect_domain()
if redirect_domain is not None:
output_info("Processing an SPF redirect domain: %s" % redirect_domain)
return is_spf_record_strong(redirect_domain)
else:
return False
def check_spf_include_mechanisms(spf_record):
include_domain_list = spf_record.get_include_domains()
for include_domain in include_domain_list:
output_info(f"Processing an SPF include domain: {include_domain}")
strong_all_string = is_spf_record_strong(include_domain)
if strong_all_string:
return True
return False
def check_spf_include_mechanisms(spf_record):
include_domain_list = spf_record.get_include_domains()
for include_domain in include_domain_list:
output_info("Processing an SPF include domain: %s" % include_domain)
strong_all_string = is_spf_record_strong(include_domain)
if strong_all_string:
return True
return False
def get_dmarc_record(domain):
dmarc = dmarclib.DmarcRecord.from_domain(domain)
if dmarc is not None and dmarc.record is not None:
output_info("Found DMARC record:")
output_info(str(dmarc.record))
return dmarc
else:
org_domain = dmarc.get_org_domain()
if org_domain is not None and org_domain != domain:
output_info("Record is a subdomain of %(org)s" % {"org": org_domain})
org_record = dmarclib.DmarcRecord.from_domain(org_domain)
if org_record.record is not None:
output_info("Found subdomain DMARC record for %(org)s:" % {"org": org_domain})
output_info(str(org_record.record))
return org_record
def is_spf_record_strong(domain):
strong_spf_record = True
try:
spf_record = spflib.SpfRecord.from_domain(domain)
output_info("Found SPF record:")
output_info(str(spf_record.record))
all_string_weak = check_spf_all_string(spf_record)
if all_string_weak is True:
strong_spf_record = False
except spflib.NoSpfRecordException:
output_good(domain + " has no SPF record!")
strong_spf_record = False
return strong_spf_record
def is_spf_record_strong(domain):
strong_spf_record = True
try:
spf_record = spflib.SpfRecord.from_domain(domain)
output_info("Found SPF record:")
output_info(str(spf_record.record))
all_string_weak = check_spf_all_string(spf_record)
if all_string_weak is True:
strong_spf_record = False
except spflib.NoSpfRecordException:
output_good(domain + " has no SPF record!")
strong_spf_record = False
return strong_spf_record
def is_dmarc_record_strong(domain):
dmarc_record_strong = False
dmarc = get_dmarc_record(domain)
if dmarc is not None and dmarc.record is not None:
dmarc_record_strong = check_dmarc_policy(dmarc)
check_dmarc_extras(dmarc)
elif dmarc.get_org_domain() is not None:
output_info("No DMARC record found. Looking for organizational record")
dmarc_record_strong = check_dmarc_org_policy(dmarc)
else:
output_good(domain + " has no DMARC record!")
return dmarc_record_strong
def is_dmarc_record_strong(domain):
dmarc_record_strong = False
dmarc = get_dmarc_record(domain)
if dmarc is not None and dmarc.record is not None:
dmarc_record_strong = check_dmarc_policy(dmarc)
check_dmarc_extras(dmarc)
elif dmarc.get_org_domain() is not None:
output_info("No DMARC record found. Looking for organizational record")
dmarc_record_strong = check_dmarc_org_policy(dmarc)
else:
output_good(domain + " has no DMARC record!")
return dmarc_record_strong
def menu():
parser = argparse.ArgumentParser()
parser.add_argument("--input",
"-i",
help="List of domains to perform checking")
parser.add_argument("--domain",
"-d",
help="Single domain to perform checking")
args = parser.parse_args()
if args.domain:
single_domain(args.domain.rstrip())
elif args.input:
with open(args.input, 'r') as f:
for domain in f:
domain = domain.rstrip()
output_info("Checking " + domain)
single_domain(domain)
print("")
else:
parser.print_help()
def check_dmarc_org_policy(base_record):
policy_strong = False
try:
org_record = base_record.get_org_record()
if org_record is not None and org_record.record is not None:
output_info("Found organizational DMARC record:")
output_info(str(org_record.record))
if org_record.subdomain_policy is not None:
if org_record.subdomain_policy == "none":
output_good(
"Organizational subdomain policy set to %(sp)s" %
{"sp": org_record.subdomain_policy})
elif org_record.subdomain_policy == "quarantine" or org_record.subdomain_policy == "reject":
output_bad(
"Organizational subdomain policy explicitly set to %(sp)s"
% {"sp": org_record.subdomain_policy})
policy_strong = True
else:
output_info(
"No explicit organizational subdomain policy. Defaulting to organizational policy"
)
policy_strong = check_dmarc_policy(org_record)
else:
output_good("No organizational DMARC record")
except dmarclib.OrgDomainException:
output_good("No organizational DMARC record")
except Exception as e:
logging.exception(e)
return policy_strong
def check_dmarc_org_policy(base_record):
policy_strong = False
try:
org_record = base_record.get_org_record()
if org_record is not None and org_record.record is not None:
output_info("Found organizational DMARC record:")
output_info(str(org_record.record))
if org_record.subdomain_policy is not None:
if org_record.subdomain_policy == "none":
output_good("Organizational subdomain policy set to %(sp)s" % {"sp": org_record.subdomain_policy})
elif org_record.subdomain_policy == "quarantine" or org_record.subdomain_policy == "reject":
output_bad("Organizational subdomain policy explicitly set to %(sp)s" % {"sp": org_record.subdomain_policy})
policy_strong = True
else:
output_info("No explicit organizational subdomain policy. Defaulting to organizational policy")
policy_strong = check_dmarc_policy(org_record)
else:
output_good("No organizational DMARC record")
except dmarclib.OrgDomainException:
output_good("No organizational DMARC record")
except Exception as e:
logging.exception(e)
return policy_strong
def is_spf_record_strong(domain):
strong_spf_record = True
spf_record = spflib.SpfRecord.from_domain(domain)
if spf_record and spf_record.record:
output_info("Found SPF record:")
output_info(str(spf_record.record))
strong_all_string = check_spf_all_string(spf_record)
if not strong_all_string:
redirect_strength = check_spf_redirect_mechanisms(spf_record)
include_strength = check_spf_include_mechanisms(spf_record)
strong_spf_record = False
if redirect_strength or include_strength:
strong_spf_record = True
else:
output_good(f"{domain} has no SPF record!")
strong_spf_record = False
return strong_spf_record
def get_dmarc_org_record(base_record):
org_record = base_record.get_org_record()
if org_record is not None:
output_info("Found DMARC Organizational record:")
output_info(str(org_record.record))
return org_record
def get_dmarc_record(domain):
dmarc = dmarclib.DmarcRecord.from_domain(domain)
if dmarc is not None and dmarc.record is not None:
output_info("Found DMARC record:")
output_info(str(dmarc.record))
return dmarc
def get_dmarc_record(domain):
dmarc = dmarclib.DmarcRecord.from_domain(domain)
if dmarc is not None and dmarc.record is not None:
output_info("Found DMARC record:")
output_info(str(dmarc.record))
return dmarc
def get_dmarc_org_record(base_record):
org_record = base_record.get_org_record()
if org_record is not None:
output_info("Found DMARC Organizational record:")
output_info(str(org_record.record))
return org_record