Skip to content

Gate DMARC/SPF/MTA-STS on MX presence to reduce noise#892

Merged
liquidsec merged 2 commits into
devfrom
mx-gate-email-modules
May 25, 2026
Merged

Gate DMARC/SPF/MTA-STS on MX presence to reduce noise#892
liquidsec merged 2 commits into
devfrom
mx-gate-email-modules

Conversation

@liquidsec

@liquidsec liquidsec commented May 25, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Adds BadDNS_email_base (in baddns/lib/email_base.py) — shared intermediate base for the email-related modules. Provides has_email_infra() (MX check on target, falling back to the registered/apex domain) and mx_gate_skips().
  • DMARC and SPF now skip dispatch when neither the target nor its apex has any MX records. MTA-STS still runs — but the orphaned-TXT and policy-MX-mismatch findings are suppressed without MX, while the dangling mta-sts.* subdomain takeover and policy-MX WHOIS takeover findings keep running unconditionally (they're real takeover vectors regardless of mail flow).
  • New CLI flag --disable-mx-gate and matching disable_mx_gate kwarg for opt-out (useful for BBOT and explicit "I want everything" runs).
  • get_all_modules() now walks transitive subclasses and filters on the name class attribute, so intermediate bases like BadDNS_email_base aren't returned as modules.
  • Existing email tests pass disable_mx_gate=True to preserve their policy-logic focus; new tests cover the gate (skip without MX, run with subdomain MX, run with apex MX, opt-out via flag, MTA-STS finding-by-finding behavior).

@liquidsec liquidsec merged commit 00efd44 into dev May 25, 2026
8 of 9 checks passed
@liquidsec liquidsec deleted the mx-gate-email-modules branch May 25, 2026 17:24
@codecov-commenter

codecov-commenter commented May 25, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 98.30508% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 99.94%. Comparing base (0bef233) to head (19f9831).
⚠️ Report is 3 commits behind head on dev.

Files with missing lines Patch % Lines
baddns/lib/email_base.py 97.14% 1 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff             @@
##               dev     #892      +/-   ##
===========================================
- Coverage   100.00%   99.94%   -0.06%     
===========================================
  Files           26       27       +1     
  Lines         1927     1977      +50     
===========================================
+ Hits          1927     1976      +49     
- Misses           0        1       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@liquidsec liquidsec mentioned this pull request May 25, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@liquidsec @codecov-commenter