Correct DMARC and SPF record matching (#24)

globalcyberalliance · Sep 19, 2024 · 795e31f · 795e31f
1 parent d60fe3f
commit 795e31f
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 10 deletions.
diff --git a/cmd/dss/main.go b/cmd/dss/main.go
@@ -25,8 +25,8 @@ var (
 	cmd = &cobra.Command{
 		Use:     "dss",
 		Short:   "Scan a domain's DNS records.",
-		Long:    "Scan a domain's DNS records.\nhttps://github.com/GlobalCyberAlliance/domain-security-scanner/v3",
-		Version: "3.0.15",
+		Long:    "Scan a domain's DNS records.\nhttps://github.com/GlobalCyberAlliance/domain-security-scanner",
+		Version: "3.0.16",
 		PersistentPreRun: func(cmd *cobra.Command, args []string) {
 			var logWriter io.Writer
 

diff --git a/pkg/scanner/requests.go b/pkg/scanner/requests.go
@@ -2,23 +2,22 @@ package scanner
 
 import (
 	"fmt"
+	"regexp"
 	"strings"
 
 	"github.com/miekg/dns"
 )
 
 const (
-	DefaultBIMIPrefix  = "v=BIMI1;"
-	DefaultDKIMPrefix  = "v=DKIM1;"
-	DefaultDMARCPrefix = "v=DMARC1;"
-	DefaultSPFPrefix   = "v=spf1 "
+	DefaultBIMIPrefix = "v=BIMI1;"
+	DefaultDKIMPrefix = "v=DKIM1;"
 )
 
 var (
 	BIMIPrefix  = DefaultBIMIPrefix
 	DKIMPrefix  = DefaultDKIMPrefix
-	DMARCPrefix = DefaultDMARCPrefix
-	SPFPrefix   = DefaultSPFPrefix
+	DMARCPrefix = regexp.MustCompile(`^\s*v\s*=\s*DMARC1`) // Matches v=DMARC1 with whitespace (RFC7489).
+	SPFPrefix   = regexp.MustCompile(`^\s*v\s*=\s*(?i)spf1`)
 
 	// knownDkimSelectors is a list of known DKIM selectors.
 	knownDkimSelectors = []string{
@@ -171,7 +170,7 @@ func (s *Scanner) getTypeDMARC(domain string) (string, error) {
 		}
 
 		for index, record := range records {
-			if strings.HasPrefix(record, DMARCPrefix) {
+			if DMARCPrefix.Match([]byte(record)) {
 				// TXT records can be split across multiple strings, so we need to join them
 				return strings.Join(records[index:], ""), nil
 			}
@@ -190,7 +189,7 @@ func (s *Scanner) getTypeSPF(domain string) (string, error) {
 	}
 
 	for _, record := range records {
-		if strings.HasPrefix(record, SPFPrefix) {
+		if SPFPrefix.Match([]byte(record)) {
 			if !strings.Contains(record, "redirect=") {
 				return record, nil
 			}