Releases: domainaware/checkdmarc
Releases · domainaware/checkdmarc
5.15.4
Fixes
- Stop reporting
jurisdictionOfIncorporationStateOrProvinceName/
jurisdictionOfIncorporationLocalityNameas required when both are absent.
Per VMC Requirements §7.1.4.2.2(j), entities incorporated at the country
level (e.g.bbc.co.uk) MUST include onlyjurisdictionCountryName—
state/province and locality MUST NOT be present. The same correction
applies to the parallelstatute*fields for Government Marks
(§7.1.4.2.2(s)). The locality-level form is still validated:
jurisdictionOfIncorporationLocalityName(andstatuteLocalityName)
now imply that their state/province counterpart must also be present
(#242). - Deduplicate the bidirectional "either A or B" error so the
localityName/stateOrProvinceNamerule is reported once instead
of twice when both fields are absent.
Changes
- Warn when a BIMI SVG
<title>element is a generator/template
placeholder (e.g.bimi-svg-tiny-12-ps,Untitled). The title should
be a descriptive name for the brand or mark. - Document that BIMI mark certificates are validated against the
AuthIndicators Working Group's
Minimum Security Requirements for Issuance of Mark Certificates.
5.15.3
Fixes
- Display a warning is a BIMI image is provided without a VMC/CMC
5.15.2
Changes
- Cap the per-query UDP timeout at
min(1.0, timeout)for single-nameserver
configurations as well as multi-nameserver ones. Previously, when only one
nameserver was configured (or the system default list had a single entry),
resolver.timeoutandresolver.lifetimewere both set to the full
timeoutbudget, which collapses dnspython's UDP retry loop to a single
attempt — a single dropped UDP datagram then consumed the whole lifetime
and raisedLifetimeTimeout, whiledig(which defaults to+tries=3)
would mask the same blip by retrying. dnspython now retries UDP within
the lifetime window (~2 attempts at the default 2s budget), matching
dig's behavior in spirit and eliminating spurious single-NS timeouts
on paths with occasional packet loss.
5.15.1
Changes
- Revert the 5.15.0 default of auto-configuring public nameservers
(1.1.1.1,8.8.8.8) when nonameserversare passed. Whennameservers
isNone,checkdmarcnow falls back to the system-configured resolvers
again (/etc/resolv.confon Linux/macOS, the OS resolver on Windows),
matching the 5.14.x and earlier behavior. The auto-configured default would
surprise users running split-horizon or internal DNS and broke workflows
that previously relied on the system resolver. - Rename the exposed constant from
DEFAULT_DNS_NAMESERVERSto
RECOMMENDED_DNS_NAMESERVERSto reflect that it is an opt-in
recommendation, not an automatic default. It is re-exported from the
package root ascheckdmarc.RECOMMENDED_DNS_NAMESERVERSso callers can
easily opt in with
check_domains(..., nameservers=RECOMMENDED_DNS_NAMESERVERS). - Documentation now calls out mixing public resolvers from different
providers as a best practice for public-internet checks.
5.15.0
Changes (breaking)
- Rename the
timeout_retrieskwarg toretriesacross all public APIs, and
rename the CLI flag--timeout-retriesto--retries. The retry logic now
covers transient failures beyond timeouts —dns.resolver.LifetimeTimeout,
dns.resolver.NoNameservers(typically a SERVFAIL from upstream), and
OSErrorduring TCP fallback.NXDOMAINandNoAnswerremain
non-retryable (definitive negative answers). - Change the default retry count from
2to0. The retry loop tripled
worst-case query time without helping when stalls were caused by
misbehaving authoritative nameservers. Callers that want retries can pass
retries=2or use--retries 2on the CLI. - Cap the per-nameserver query budget at
min(1.0, timeout)seconds, with
an overalllifetime = timeout * len(nameservers). When multiple
nameservers are configured, dnspython now falls through to the next one
after at most 1s instead of letting a single slow or broken nameserver
consume the whole lifetime before any fallback is attempted. Failover
across the configured list happens inside each attempt;retriesretries
the whole attempt after all configured nameservers have been tried. - Default to a mix of public DNS providers (
1.1.1.1,8.8.8.8) when no
nameservers are passed, instead of falling back to/etc/resolv.conf.
Combined with the per-nameserver cap above, this gives cross-provider
failover out of the box — a slow or broken path at one resolver falls
through to the other within ~1s. Exposed as
checkdmarc._constants.DEFAULT_DNS_NAMESERVERS. Users that need
system-configured or internal resolvers can still pass them explicitly
vianameservers=...or--nameserver. - Centralize default timeouts and retry counts as constants in
checkdmarc._constants(DEFAULT_DNS_TIMEOUT,DEFAULT_DNS_MAX_RETRIES,
DEFAULT_SMTP_TIMEOUT), matching the existingDEFAULT_HTTP_TIMEOUT
pattern. Function defaults now reference these constants so tuning is a
one-file change.
5.14.3
Fixes
- Fix type of
approved_mx_hostnamesparameter incheck_domains(closes #238) - Resolve Pyright/Pylance type errors and warnings across the project:
- Use
Literal[True]/Literal[False]forvalidinDMARCResults/
DMARCErrorResultsto enable discriminated union narrowing - Make
nameserversparameterOptionalincheck_mx,get_mx_hosts, and
get_tlsa_recordsto match call sites and the underlyingquery_dns - Type
get_nameserversreturn asNameserverResultOk; type the error path
incheck_nsasNameserverResultError - Type
parsed_dmarc_recordinparse_bimi_record/check_bimias
Optional[Union[DMARCResults, DMARCErrorResults]] - Type
results_to_json,results_to_csv, andresults_to_csv_rowsinputs
asDomainCheckResult | list[DomainCheckResult] - Remove stray tuple wrapper around an
add_argumentcall in the CLI
- Use
5.14.2
Fixes
- Fix unclosed socket
ResourceWarningintest_tlsandtest_starttlsby
using SMTP context managers and replacingtimeout-decoratorwith smtplib's
built-intimeoutparameter - Remove
timeout-decoratordependency