Unrelated TXT record during parsing hotdix

CERT-Polska · Jan 9, 2024 · a3763d1 · a3763d1
1 parent 0c3b665
commit a3763d1
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 8 deletions.
diff --git a/app/requirements.txt b/app/requirements.txt
@@ -1,4 +1,5 @@
 checkdmarc==5.2.7
+git+https://github.com/CERT-Polska/checkdmarc@possibility-to-ignore-unrelated-dmarc-records
 dacite==1.8.1
 dkimpy==1.1.5
 email-validator==2.1.0.post1

diff --git a/app/src/scan.py b/app/src/scan.py
@@ -357,14 +357,31 @@ def scan_domain(
             raise checkdmarc.dmarc.DMARCRecordNotFound(None)
 
         domain_result.dmarc.location = dmarc_query["location"]
-        parsed_dmarc_record = checkdmarc.dmarc.parse_dmarc_record(
-            dmarc_query["record"],
-            dmarc_query["location"],
-            parked=parked,
-            include_tag_descriptions=include_dmarc_tag_descriptions,
-            nameservers=nameservers,
-            timeout=timeout,
-        )
+
+        try:
+            parsed_dmarc_record = checkdmarc.dmarc.parse_dmarc_record(
+                dmarc_query["record"],
+                dmarc_query["location"],
+                parked=parked,
+                include_tag_descriptions=include_dmarc_tag_descriptions,
+                nameservers=nameservers,
+                timeout=timeout,
+            )
+        except checkdmarc.dmarc.UnrelatedTXTRecordFoundAtDMARC:
+            dmarc_warnings.append(
+                "Unrelated TXT record found in the '_dmarc' subdomain of a domain the record refers to. "
+                "We recommend removing it, as such unrelated records may cause problems with some DMARC "
+                "implementations.",
+            )
+            parsed_dmarc_record = checkdmarc.dmarc.parse_dmarc_record(
+                dmarc_query["record"],
+                dmarc_query["location"],
+                parked=parked,
+                include_tag_descriptions=include_dmarc_tag_descriptions,
+                ignore_unrelated_records=True,
+                nameservers=nameservers,
+                timeout=timeout,
+            )
 
         if not check_spf_alignment(parsed_dmarc_record, envelope_domain, from_domain):
             domain_result.dmarc.errors.append(

diff --git a/app/src/translate.py b/app/src/translate.py
@@ -127,6 +127,13 @@
             "Znaleziono niepowiązane rekordy TXT w subdomenie '_dmarc'. Rekomendujemy ich usunięcie, ponieważ "
             "niektóre serwery mogą w takiej sytuacji odrzucić konfigurację DMARC jako błędną.",
         ),
+        (
+            "Unrelated TXT record found in the '_dmarc' subdomain of a domain the record refers to. "
+            "We recommend removing it, as such unrelated records may cause problems with some DMARC "
+            "implementations.",
+            "Znaleziono niepowiązane rekordy TXT w subdomenie '_dmarc' domeny, do której odwołuje się rekord. Rekomendujemy ich usunięcie, ponieważ "
+            "niektóre serwery mogą w takiej sytuacji odrzucić konfigurację DMARC jako błędną.",
+        ),
         (
             "The domain of the email address in a DMARC report URI is missing MX records. That means, that this domain "
             "may not receive DMARC reports.",