DNSHealth: bump to 1.1.2 and update providers/logic

Bump DNSHealth module to 1.1.2 and migrate MailProviders into the new version folder. Replace $PSScriptRoot usages with the module base ($MyInvocation.MyCommand.Module.ModuleBase) for MailProviders file access. Add DMARC-aware handling for SPF soft-fail (~all) in Read-SpfRecord (accept when DMARC p=reject at 100%, otherwise recommend -all). Remove Quad9 DNS-over-HTTPS resolver support from Resolve-DnsHttpsQuery and Set-DnsResolver. Update Microsoft365 MX pattern to include mail.eo.outlook.com. Rename and update Barracuda provider JSON (new name/links). Refresh PSGetModuleInfo metadata to reflect version, dates and file list.

Author: JohnDuprey

Modules/DNSHealth/1.1.0/MailProviders/BarracudaESS.json

@@ -12,7 +12,7 @@
     RootModule        = 'DNSHealth.psm1'
 
     # Version number of this module.
-    ModuleVersion     = '1.1.0'
+    ModuleVersion     = '1.1.2'
 
     # Supported PSEditions
     # CompatiblePSEditions = @()

Modules/DNSHealth/1.1.0/DNSHealth.psd1 Modules/DNSHealth/1.1.2/DNSHealth.psd1Modules/DNSHealth/1.1.0/DNSHealth.psd1 renamed to Modules/DNSHealth/1.1.2/DNSHealth.psd1

@@ -1155,13 +1155,13 @@ function Read-MXRecord {
     elseif ($Result.Status -ne 0 -or -not ($Result.Answer)) {
         if ($Result.Status -eq 3) {
             $ValidationFails.Add($NoMxValidation) | Out-Null
-            $MXResults.MailProvider = Get-Content "$PSScriptRoot\MailProviders\Null.json" | ConvertFrom-Json
+            $MXResults.MailProvider = Get-Content "$($MyInvocation.MyCommand.Module.ModuleBase)\MailProviders\Null.json" | ConvertFrom-Json
             $MXResults.Selectors = $MXRecords.MailProvider.Selectors
         }
 
         else {
             $ValidationFails.Add($NoMxValidation) | Out-Null
-            $MXResults.MailProvider = Get-Content "$PSScriptRoot\MailProviders\Null.json" | ConvertFrom-Json
+            $MXResults.MailProvider = Get-Content "$($MyInvocation.MyCommand.Module.ModuleBase)\MailProviders\Null.json" | ConvertFrom-Json
             $MXResults.Selectors = $MXRecords.MailProvider.Selectors
         }
         $MXRecords = $null
@@ -1183,17 +1183,17 @@ function Read-MXRecord {
         $MXRecords = $MXRecords | Sort-Object -Property Priority
 
         # Attempt to identify mail provider based on MX record
-        if (Test-Path "$PSScriptRoot\MailProviders") {
+        if (Test-Path "$($MyInvocation.MyCommand.Module.ModuleBase)\MailProviders") {
             $ReservedVariables = @{
                 'DomainNameDashNotation' = $Domain -replace '\.', '-'
             }
             if ($MXRecords.Hostname -eq '') {
                 $ValidationFails.Add($NoMxValidation) | Out-Null
-                $MXResults.MailProvider = Get-Content "$PSScriptRoot\MailProviders\Null.json" | ConvertFrom-Json
+                $MXResults.MailProvider = Get-Content "$($MyInvocation.MyCommand.Module.ModuleBase)\MailProviders\Null.json" | ConvertFrom-Json
             }
 
             else {
-                $ProviderList = Get-ChildItem "$PSScriptRoot\MailProviders" -Exclude '_template.json' | ForEach-Object {
+                $ProviderList = Get-ChildItem "$($MyInvocation.MyCommand.Module.ModuleBase)\MailProviders" -Exclude '_template.json' | ForEach-Object {
                     try { Get-Content $_ | ConvertFrom-Json -ErrorAction Stop }
                     catch { Write-Verbose $_.Exception.Message }
                 }
@@ -1345,7 +1345,7 @@ function Read-SpfRecord {
     Author: John Duprey
     #>
     [CmdletBinding(DefaultParameterSetName = 'Lookup')]
-    Param(
+    param(
         [Parameter(Mandatory = $true, ParameterSetName = 'Lookup')]
         [Parameter(ParameterSetName = 'Manual')]
         [string]$Domain,
@@ -1774,6 +1774,30 @@ function Read-SpfRecord {
             $ValidationPasses.Add('The SPF record ends with a hard fail qualifier (-all). This is best practice and will instruct recipients to discard unauthorized senders.') | Out-Null
         }
 
+        elseif ($AllMechanism -eq '~all') {
+            # Check DMARC policy for soft fail
+            $DmarcRejectPolicy = $false
+            try {
+                $DmarcPolicy = Read-DmarcPolicy -Domain $Domain -ErrorAction Stop
+                if ($DmarcPolicy.Policy -eq 'reject' -and ($DmarcPolicy.Percent -eq 100 -or $null -eq $DmarcPolicy.Percent)) {
+                    $DmarcRejectPolicy = $true
+                }
+            } catch {
+                Write-Verbose "Unable to read DMARC policy: $($_.Exception.Message)"
+            }
+
+            if ($DmarcRejectPolicy) {
+                $ValidationPasses.Add('The SPF record ends with a soft fail qualifier (~all). With DMARC p=reject at 100%, this is acceptable as DMARC will enforce rejection.') | Out-Null
+            } else {
+                $ValidationFails.Add('The SPF record should end in -all to prevent spamming.') | Out-Null
+                $Recommendations.Add([PSCustomObject]@{
+                        Message = "Replace '~all' with '-all' to make a SPF failure result in a hard fail."
+                        Match   = '~all'
+                        Replace = '-all'
+                    }) | Out-Null
+            }
+        }
+
         elseif ($Record -ne '') {
             $ValidationFails.Add('The SPF record should end in -all to prevent spamming.') | Out-Null
             $Recommendations.Add([PSCustomObject]@{
@@ -1865,7 +1889,7 @@ function Read-SpfRecord {
     # Output SpfResults object
     $SpfResults
 }
-#EndRegion './Public/Records/Read-SPFRecord.ps1' 553
+#EndRegion './Public/Records/Read-SPFRecord.ps1' 577
 #Region './Public/Records/Read-TlsRptRecord.ps1' -1
 
 function Read-TlsRptRecord {
@@ -2269,7 +2293,7 @@ function Resolve-DnsHttpsQuery {
     if (!$Results) { throw 'Exception querying resolver {0}: {1}' -f $Resolver.Resolver, $Exception.Exception.Message }
 
     if ($RecordType -eq 'txt' -and $Results.Answer) {
-        if ($Resolver -eq 'Cloudflare' -or $Resolver -eq 'Quad9') {
+        if ($Resolver -eq 'Cloudflare') {
             $Results.Answer | ForEach-Object {
                 $_.data = $_.data -replace '" "' -replace '"', ''
             }
@@ -2284,9 +2308,9 @@ function Resolve-DnsHttpsQuery {
 
 function Set-DnsResolver {
     [CmdletBinding(SupportsShouldProcess)]
-    Param(
+    param(
         [Parameter()]
-        [ValidateSet('Google', 'Cloudflare', 'Quad9')]
+        [ValidateSet('Google', 'Cloudflare')]
         [string]$Resolver = 'Google'
     )
 
@@ -2306,17 +2330,10 @@ function Set-DnsResolver {
                     QueryTemplate = '{0}?name={1}&type={2}'
                 }
             }
-            'Quad9' {
-                [PSCustomObject]@{
-                    Resolver      = $Resolver
-                    BaseUri       = 'https://dns.quad9.net:5053/dns-query'
-                    QueryTemplate = '{0}?name={1}&type={2}'
-                }
-            }
         }
     }
 }
-#EndRegion './Public/Resolver/Set-DnsResolver.ps1' 35
+#EndRegion './Public/Resolver/Set-DnsResolver.ps1' 28
 #Region './Public/Tests/Test-DNSSEC.ps1' -1
 
 function Test-DNSSEC {

Modules/DNSHealth/1.1.0/DNSHealth.psm1 Modules/DNSHealth/1.1.2/DNSHealth.psm1Modules/DNSHealth/1.1.0/DNSHealth.psm1 renamed to Modules/DNSHealth/1.1.2/DNSHealth.psm1

@@ -0,0 +1,10 @@
+{
+    "Name": "Barracuda Email Gateway Defense",
+    "_MxComment": "https://campus.barracuda.com/product/emailgatewaydefense/doc/167976430/step-2-configure-microsoft-365-for-inbound-and-outbound-mail",
+    "MxMatch": "ess(?<Country>.[a-z]{2})?.barracudanetworks.com",
+    "_SpfComment": "https://campus.barracuda.com/product/emailgatewaydefense/doc/167976840/sender-policy-framework-for-outbound-mail",
+    "SpfInclude": "spf.ess{0}.barracudanetworks.com",
+    "SpfReplace": ["Country"],
+    "_DkimComment": "No configuration found",
+    "Selectors": [""]
+}

…Health/1.1.0/MailProviders/AppRiver.json …Health/1.1.2/MailProviders/AppRiver.jsonModules/DNSHealth/1.1.0/MailProviders/AppRiver.json renamed to Modules/DNSHealth/1.1.2/MailProviders/AppRiver.json Modules/DNSHealth/1.1.0/MailProviders/AppRiver.json renamed to Modules/DNSHealth/1.1.2/MailProviders/AppRiver.json

@@ -1,6 +1,6 @@
 {
   "Name": "Microsoft 365",
-  "MxMatch": "mail.protection.outlook.com|mx.microsoft",
+  "MxMatch": "mail.protection.outlook.com|mx.microsoft|mail.eo.outlook.com",
   "SpfInclude": "spf.protection.outlook.com",
   "Selectors": ["selector1", "selector2"],
   "MinimumSelectorPass": 1,