Add scan for SPF records?

[alex]

Specifically any domain which has an MX DNS record should be checked to see if there's an SPF TXT record, an email best practice to reduce fraudulent mail. This is particularly important for .gov domains because of the implied trust in that TLD.

cc @liyanchang

[ab]

👍

And while we're at it, checking for DMARC TXT records would be great, since those are even more important for email authenticity.

For example, gov.uk publishes a strict p=reject policy:

$ dig +short _dmarc.gov.uk TXT
"v=DMARC1\;p=reject\;sp=none\;adkim=s\;aspf=s\;fo=1\;rua=mailto:[email protected]\;ruf=mailto:[email protected]"

See also how the UK's GDS is pushing HTTPS + HSTS and DMARC at the same time. https://gdstechnology.blog.gov.uk/2016/06/28/updating-our-security-guidelines-for-digital-services/

[gbinal]

Thanks for the good idea - I've added this to the list we keep of potential expansions to pulse but am going to go ahead and close the issue in the meantime. We're hoping to add more scans to pulse in FY'17 and will follow up here if this is chosen.

Again, thanks for the great idea and please share any others.