All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- duration of an SPF policy evaluation is now in milliseconds, rather than seconds
- duration is now also logged at info level for each SPF record evaluated
- each SPF txt record's length is logged at the info level & included in spf report section
-r d
report now outputs valid entries first (not all), followed by problematic dns entries- so no more double entries in the reporting output
- csv output now escapes quotes in a string value
- switched to testsuite rfc7208-tests.yml which appears to be newer and has more tests.
- in case of a syntax error, also log the verdict on stderr
- digraph, links from include/redirect's with macros now link to the expanded name
- digraph, macro expansion of nested records should use the original ip and sender parts
- digraph, include local part of sender in evaluation result on top of the graph
- digraph, use the DNS cache when generating a digraph for an SPF policy
- digraph, include/redirect to a non-SPF record should say so (not just be empty)
-b
,--batch N
flag to run Nx SPF evaluations concurrently when in batch mode-T
,--timeout N
flag to set the timeout for DNS queries
- also log the final verdict, not just the intermediate verdicts
- cacheing a DNS response of :servfail, should not include the entire dns_msg as well
- darn! should've checked this when refactoring the Spf.DNS module
- info message when an SPF record is tracking sender IP, EHLO and/or sender IP validated name.
- dot representation of an SPF record only shows the AST created
- "v=spf1" was added automatically since it is not part of the AST
- but this was confusing in cases where no SPF record was found
- when generating zonedata for rfc7208's testsuite omit CNAME and SOA records
- they're not used in the testsuite anyway
- specifying zonedata to pre-load, dropped the
domain error
format- records are no longer autogenerated
- this was actually logic from rfc7208's testsuite
- not needed by
Spfcheck
itself
- when updating the DNS cache with an error, it now replaces any existing rrdata
- queries for cached domain names with circular CNAME references, now yield :servfail
- dot file generation does not choke when no SPF records were found
- reporting on DNS data gathered now outputs any soa records properly
- authority search ignores CNAME results to find real SOA for given domain
- the real SOA being the zone that contains the record for original search name
- loop detection (had some false positives)
- syntax error messages now also list reasons for the errors
- warning if ip4/ip6 mechanism actually mask host bits (i.e. address != this-network)
- warning if exists' domain is same as current SPF domain (which is unusual)
- warning if an unknown modifier has a mechanism name (an easy mistake)
- leading zero's in ip4/6 prefix lengths is actually a syntax error
- empty macro-string in an unknown modifier is actually legal
- %{t} now expands to timestamp (UNIX epoch time)
- unknown modifiers cannot use c,r,t-macros, they're only valid in an explain-string
- removed dependency on nimble_parsec
- DNS MECH counter shown at info level (was debug level)
- logs use uniform format: "term - message" format as much as possible
- redundant entry message now lists only the uniquely overlapping terms
- report option "g" to include a graphviz di-graph of the SPF policy
- warning when default '+'-qualifier is used in mechanisms
- a less confusing redundant-warning replaces the multiple-entries warning
- inconsistent warnings now report only the terms inconsistent with current term
- more consistent formatting of logging and verdict's reason
--nameserver
flag to customize which nameservers to use via IPv4 and/or IPv6 addresses--author
flag to set author information in markdown metadata--title
flag to set title information in markdown metadata
- prefixes are stored on exact match, not longest prefix match
- multiple entries warning now means the exact same prefix was seen multiple times
- unreachable-warning when new prefix is subnet of an existing supernet
- overlapping-warning when new prefix is supernet of an existing subnet
- inconsistent-warning for overlapping prefixes having different qualifiers
- notifications during context creation
- warning when exceeding 512 chars now shows offending SPF domain name
- "seen before"-warning changed into "multiple entries"-warning (less confusing)
- parser errors now correctly logged as :parse-errors instead of :eval-errors
- warning about inconsistent qualifiers in case of multiple entries
- warning about mx used while domain has null MX record
- warning for superfluous prefix lengths (/32 resp. /128)
- warning for zero prefix lengths (/0)
- verdict output includes owner domain and contact (also in csv-output)
- ipt logs show spf terms rather than their raw token
- logging to stderr now shows the domain in front, so redirecting stderr to a log file means the messages can be related to the domain being checked at that time.
- added warning when ?all or +all is used
- url for rfc7208 test suite
- use :dns (not :ipt) when logging dns additions to the cache
- Fix url for License badge
- Initial public version