• Switch from DNS over UDP to DNS over TCP for DNSSEC and TLSA queries (Close #176)

• Clarify warnings for DMARC p=none and sp=none
• Use a different warning if DMARC pct is set to 0
• Add location to the JSON output for BIMI

Fix BIMI record parsing error introduced in 5.9.0

Bug fixes:

• Remove zero-width characters from domain inputs (Close #157)
• Add a warning when the DMARC record p or sp value is none (Close #163)
• Evaluate DMARC when checking BIMI
• Do lot show a BIMI certificate warning when the l tag is set to ""
• Include warnings if a domain is using BIMI, but does not have an enforced DMARC policy

New features:

Parsed SPF record details are now provided even if it uses too many DNS lookups

Having all of the details of a SPF record that is over the DNS lookup limit can help administrators see what portions of the SPF record are using the most lookups. The parsed record data can be found in the parsed key. In the event that a domain is over the lookup limit, valid will still be set to false and a helpful message describing the problem can be found in the error key. (Close #129)

API changes:

• Require keyword arguments to be passed as keyword=value pairs instead of positional arguments
• Add the option ignore_too_many_lookups to checkdmarc.spf.parse_spf_record()
  • This option will stop checkdmarc.spf.parse_spf_record() from rasing exceptions related to too many DNS lookups, in support of the new feature
  • False by default to maintain backwards compatibility
  • checkdmarc.spf.check_spf() uses this functionality to support the new feature

• Provide an easier to understand error message when a mark certificate is not is not issued by a recognized Mark Verifying Authority (MVA)
• Bug fix: failure to download a BIMI image is noted in the certificate section instead of the image section

What's Changed

• fix discrepencies on http_timeout usage by @glefait in #166
• Fixing a bug in policy/subdomain policy check for parked domains by @kazet in #167

New Contributors

• @glefait made their first contribution in #166

Full Changelog: 5.8.6...5.8.7

• Ignore unhandled critical extensions for mark certificates (PR #162 closes issue #161)

• Add SSL.com root MVC CA certificates to MVCCAs.pem
• Replace deprecated importlib.resources.path call with importlib.resources.file
  • Use importlib-resources to support older versions of Python

• Fix incomplete fix for issue #159

• Support ra=, rp= and rr= tags from RFC 6652 (PR #158)
• Do not use static answer positions when checking DNSSEC and TLSA (Fixes #159)