@blamejs/core 0.9.49 → 0.10.1

package/lib/mail-auth.js

@@ -32,10 +32,9 @@
  *   verifier that's deferred from this patch).
  */
 
-var dns = require("node:dns");
-var dnsPromises = dns.promises;
 var zlib = require("node:zlib");
 var net = require("node:net");
+var nodeCrypto = require("node:crypto");
 var lazyRequire = require("./lazy-require");
 var validateOpts = require("./validate-opts");
 var C = require("./constants");
@@ -43,6 +42,7 @@ var dkim = require("./mail-dkim");
 var safeXml = require("./parsers/safe-xml");
 var ipUtils = require("./ip-utils");
 var publicSuffix = require("./public-suffix");
+var networkDnsResolver = lazyRequire(function () { return require("./network-dns-resolver"); });
 var { MailAuthError } = require("./framework-error");
 
 var observability = lazyRequire(function () { return require("./observability"); });
@@ -53,6 +53,128 @@ void observability;
 // when crossed, matching mainstream MTAs.
 var SPF_DNS_LOOKUP_LIMIT = 10;
 
+// RFC 7208 §4.6.4 — "void lookup" cap. A void lookup is a successful
+// DNS query whose answer is empty (NXDOMAIN, no-data response, or
+// zero records returned). The SPF spec caps void lookups at 2; beyond
+// that the policy MUST permerror. Attackers chain misconfigured
+// `include:`s pointing at non-existent domains to amplify recursive
+// resolver work without tripping the 10-lookup ceiling.
+var SPF_VOID_LOOKUP_LIMIT = 2;                                                   // allow:raw-byte-literal — RFC 7208 §4.6.4 void-lookup ceiling
+
+// RFC 7208 §3.3 — each SPF TXT record MUST NOT exceed 450 bytes when
+// concatenated across multi-string TXT chunks. The spec lifts a
+// receiver MUST-refuse on >450-byte records to bound parse work.
+var SPF_RECORD_MAX_BYTES = 450;                                                  // allow:raw-byte-literal — RFC 7208 §3.3 record ceiling
+
+// SPF redirect= modifier (RFC 7208 §6.1) recursion cap. The modifier
+// re-evaluates against a different domain; a chain of redirect= cycles
+// MUST terminate. We bound at the same depth as the lookup ceiling
+// minus current count (the redirect itself counts as one lookup); the
+// hard cap below is an additional belt-and-braces against malformed
+// upstream policies that would otherwise spin until the lookup cap
+// alone tripped.
+var SPF_REDIRECT_DEPTH_LIMIT = 10;                                               // allow:raw-byte-literal — same shape as RFC 7208 §4.6.4 lookup ceiling
+
+// Shared safe-DNS TXT/A/AAAA/PTR lookup. Operator-supplied
+// `dnsLookup` (legacy `[[strings]]` shape for TXT; flat `[addr, ...]`
+// for A/AAAA; flat `[name]` for PTR) takes precedence; otherwise
+// routes through `b.network.dns.resolver` (DoH by default per
+// v0.7.23). CVE-2008-1447 (Kaminsky) + CVE-2022-3204
+// (NRDelegationAttack) class — the encrypted DoH transport plus
+// b.safeDns parse caps defend transport and parse-side. Earlier
+// shape fell back to `node:dns.promises.resolveTxt` directly, which
+// sent plaintext UDP/53 to whatever the system resolver was — every
+// downstream finding inherited that exposure.
+var _defaultResolver = null;
+function _getDefaultResolver() {
+  if (_defaultResolver) return _defaultResolver;
+  _defaultResolver = networkDnsResolver().create();
+  return _defaultResolver;
+}
+
+async function _safeResolveTxt(qname, operatorLookup) {
+  if (operatorLookup) return operatorLookup(qname, "TXT");
+  var r = await _getDefaultResolver().queryTxt(qname);
+  var out = [];
+  for (var i = 0; i < r.rrs.length; i += 1) {
+    var rr = r.rrs[i];
+    if (rr && rr.type === 16) {                                                  // allow:raw-byte-literal — IANA DNS qtype TXT
+      out.push(Array.isArray(rr.decoded) ? rr.decoded : [String(rr.decoded)]);
+    }
+  }
+  if (out.length === 0) {
+    var err = new Error("no TXT records for " + qname);
+    err.code = "ENODATA";
+    throw err;
+  }
+  return out;
+}
+
+async function _safeResolveA(qname, family /* 4|6 */) {
+  var r = await _getDefaultResolver().query(qname, family === 6 ? "AAAA" : "A");
+  var out = [];
+  for (var i = 0; i < r.rrs.length; i += 1) {
+    var rr = r.rrs[i];
+    var wantType = family === 6 ? 28 : 1;                                        // allow:raw-byte-literal — IANA DNS qtype AAAA / A
+    if (rr && rr.type === wantType) out.push(rr.decoded);
+  }
+  if (out.length === 0) {
+    var err = new Error("no " + (family === 6 ? "AAAA" : "A") + " records for " + qname);
+    err.code = "ENODATA";
+    throw err;
+  }
+  return out;
+}
+
+async function _safeReverse(ip) {
+  // PTR query against the reverse-arpa name. IPv4: a.b.c.d.in-addr.arpa
+  // (reversed octets); IPv6: nibble-reversed under ip6.arpa.
+  var qname = _ipToReverseArpa(ip);
+  if (qname === null) {
+    var err = new Error("invalid IP literal: " + ip);
+    err.code = "ENOTFOUND";
+    throw err;
+  }
+  var r = await _getDefaultResolver().query(qname, "PTR");
+  var out = [];
+  for (var i = 0; i < r.rrs.length; i += 1) {
+    var rr = r.rrs[i];
+    if (rr && rr.type === 12) {                                                  // allow:raw-byte-literal — IANA DNS qtype PTR
+      // Strip trailing dot if present (PTR rdata is FQDN with root dot).
+      var name = String(rr.decoded || "").replace(/\.$/, "");
+      if (name.length > 0) out.push(name);
+    }
+  }
+  if (out.length === 0) {
+    var e2 = new Error("no PTR records for " + ip);
+    e2.code = "ENODATA";
+    throw e2;
+  }
+  return out;
+}
+
+function _ipToReverseArpa(ip) {
+  if (typeof ip !== "string") return null;
+  if (net.isIPv4(ip)) {
+    var p = ip.split(".");
+    if (p.length !== 4) return null;                                             // allow:raw-byte-literal — IPv4 octet count
+    return p[3] + "." + p[2] + "." + p[1] + "." + p[0] + ".in-addr.arpa";
+  }
+  if (net.isIPv6(ip)) {
+    var groups = ipUtils.expandIpv6Groups(ip);
+    if (!groups) return null;
+    var hex = "";
+    for (var i = 0; i < groups.length; i += 1) {
+      var s = groups[i].toString(16);                                            // allow:raw-byte-literal — hex radix
+      while (s.length < 4) s = "0" + s;                                          // allow:raw-byte-literal — IPv6 group nibble count
+      hex += s;
+    }
+    var rev = hex.split("").reverse().join(".");
+    return rev + ".ip6.arpa";
+  }
+  return null;
+}
+
 // ---- Helpers ----
 
 function _ipv4ToInt(ip) {
@@ -168,9 +290,7 @@ function _parseSpfRecord(text) {
 async function _fetchSpfRecord(domain, dnsLookup) {
   var records;
   try {
-    records = dnsLookup
-      ? await dnsLookup(domain, "TXT")
-      : await dnsPromises.resolveTxt(domain);
+    records = await _safeResolveTxt(domain, dnsLookup);
   } catch (e) {
     if (e && (e.code === "ENOTFOUND" || e.code === "ENODATA")) return { kind: "none" };
     throw new MailAuthError("mail-auth/spf-lookup-failed",
@@ -189,6 +309,15 @@ async function _fetchSpfRecord(domain, dnsLookup) {
              reason: "domain " + domain + " publishes " + matches.length +
                      " v=spf1 records; RFC 7208 §4.5 requires at most one" };
   }
+  // RFC 7208 §3.3 — the SPF record (concatenated across multi-string
+  // TXT chunks) MUST NOT exceed 450 bytes. Receivers MUST refuse
+  // larger records (permerror) so a malformed-large policy can't
+  // amplify parser work.
+  if (matches[0].length > SPF_RECORD_MAX_BYTES) {
+    return { kind: "permerror",
+             reason: "domain " + domain + " SPF record is " + matches[0].length +
+                     " bytes; RFC 7208 §3.3 caps at " + SPF_RECORD_MAX_BYTES };
+  }
   return { kind: "found", record: matches[0] };
 }
 
@@ -210,7 +339,7 @@ async function spfVerify(opts) {
       "spf.verify: mailFrom or helo is required");
   }
 
-  var lookups = { count: 0, limit: SPF_DNS_LOOKUP_LIMIT };
+  var lookups = { count: 0, limit: SPF_DNS_LOOKUP_LIMIT, void: 0 };
   // RFC 7208 §4.6.4 — the initial query for the sender domain's SPF
   // record itself does NOT count toward the 10-lookup limit. Only
   // include / a / mx / ptr / exists / redirect mechanisms count.
@@ -232,6 +361,19 @@ async function _spfEvaluateDomain(domain, ip, dnsLookup, lookups, ctx) {
   if (lookups.count > lookups.limit) {
     return { verdict: "permerror", explanation: "DNS lookup limit exceeded (RFC 7208 §4.6.4)" };
   }
+  // RFC 7208 §4.6.4 — void-lookup ceiling. Each successful query that
+  // returns 0 records (NXDOMAIN, no-data) counts. Beyond 2, permerror.
+  if ((lookups.void || 0) > SPF_VOID_LOOKUP_LIMIT) {
+    return { verdict: "permerror",
+             explanation: "SPF void-lookup limit exceeded (RFC 7208 §4.6.4)" };
+  }
+  // RFC 7208 §6.1 — redirect= recursion bound. Per-evaluation
+  // re-entries via redirect MUST terminate. The lookup limit also
+  // catches pathological chains; this bound is the belt-and-braces.
+  if ((ctx.redirectDepth || 0) > SPF_REDIRECT_DEPTH_LIMIT) {
+    return { verdict: "permerror",
+             explanation: "SPF redirect= recursion limit exceeded (RFC 7208 §6.1)" };
+  }
   // Initial query for the sender's SPF record doesn't count (RFC 7208
   // §4.6.4); only include / a / mx / ptr / exists / redirect do.
   if (!ctx.isInitial) lookups.count += 1;
@@ -245,6 +387,11 @@ async function _spfEvaluateDomain(domain, ip, dnsLookup, lookups, ctx) {
     return { verdict: "permerror", explanation: fetched.reason };
   }
   if (fetched.kind === "none") {
+    // Void lookup — count toward §4.6.4 ceiling. Initial query
+    // doesn't count as a "lookup" but DOES count as void if the
+    // sender has no SPF (mirrors the spec's intent: a misconfigured
+    // sender that publishes no record still consumes a slot).
+    lookups.void = (lookups.void || 0) + 1;
     return { verdict: "none", explanation: "no SPF record at " + domain };
   }
 
@@ -280,8 +427,7 @@ async function _spfEvaluateDomain(domain, ip, dnsLookup, lookups, ctx) {
                  explanation: "include:" + m.arg + " has no SPF record (RFC 7208 §5.2)" };
       }
     } else if (m.mechanism === "a" || m.mechanism === "mx" ||
-               m.mechanism === "exists" || m.mechanism === "ptr" ||
-               m.mechanism === "redirect") {
+               m.mechanism === "exists" || m.mechanism === "ptr") {
       // Out of scope this patch — operators with these get permerror
       // so they know to investigate.
       return {
@@ -301,6 +447,33 @@ async function _spfEvaluateDomain(domain, ip, dnsLookup, lookups, ctx) {
                (m.arg ? ":" + m.arg : "") };
     }
   }
+
+  // RFC 7208 §6.1 — `redirect=<domain>` modifier: when no mechanism
+  // matched, fall through to the target domain's policy. The redirect
+  // is ignored if an `all` mechanism is present (since `all` matches
+  // unconditionally, the redirect is unreachable by construction).
+  // Pre-this-patch the redirect= modifier was silently dropped — a
+  // domain whose only policy was `v=spf1 redirect=_spf.example.com`
+  // returned "neutral" instead of the redirected verdict, leaving
+  // every legitimate sender unauthenticated.
+  var mods = mechanisms.modifiers || [];
+  for (var rmi = 0; rmi < mods.length; rmi += 1) {
+    if (mods[rmi].name === "redirect" && mods[rmi].value) {
+      // Redirect counts as one DNS-mechanism per §4.6.4.
+      var redirected = await _spfEvaluateDomain(
+        mods[rmi].value.toLowerCase(), ip, dnsLookup, lookups,
+        { redirectDepth: (ctx.redirectDepth || 0) + 1 });
+      // RFC 7208 §6.1 — if the redirect target has no SPF record,
+      // permerror (the operator's intent is unverifiable).
+      if (redirected.verdict === "none") {
+        return { verdict: "permerror",
+                 explanation: "redirect=" + mods[rmi].value +
+                              " has no SPF record (RFC 7208 §6.1)" };
+      }
+      return redirected;
+    }
+  }
+
   return { verdict: "neutral", explanation: "no mechanism matched" };
 }
 
@@ -310,9 +483,7 @@ async function _fetchDmarcRecord(domain, dnsLookup) {
   var qname = "_dmarc." + domain.toLowerCase();
   var records;
   try {
-    records = dnsLookup
-      ? await dnsLookup(qname, "TXT")
-      : await dnsPromises.resolveTxt(qname);
+    records = await _safeResolveTxt(qname, dnsLookup);
   } catch (e) {
     if (e && (e.code === "ENOTFOUND" || e.code === "ENODATA")) return null;
     throw new MailAuthError("mail-auth/dmarc-lookup-failed",
@@ -391,18 +562,25 @@ function _alignmentCheck(fromDomain, authDomain, mode) {
   var f = fromDomain.toLowerCase();
   var a = authDomain.toLowerCase();
   if (mode === "s") return f === a;                                              // strict
-  // relaxed: same org-domain (suffix check). Without PSL we can't do
-  // exact org-domain extraction; best-effort is "auth domain ends
-  // with from domain or vice versa".
+  // RFC 7489 §3.1.1 + DMARCbis §4.4 — relaxed alignment compares the
+  // organizational domain (the public-suffix-tail registered name).
+  // Earlier shape did a naive `endsWith` text-suffix check which over-
+  // approximated alignment: `evil-bank.com` and `bank.com` looked
+  // aligned even though they're separately registered. PSL lookup
+  // closes the gap.
   if (f === a) return true;
-  if (f.length > a.length && f.slice(-a.length - 1) === "." + a) return true;
-  if (a.length > f.length && a.slice(-f.length - 1) === "." + f) return true;
+  var fOrg = null;
+  var aOrg = null;
+  try { fOrg = publicSuffix.organizationalDomain(f); } catch (_e) { fOrg = null; }
+  try { aOrg = publicSuffix.organizationalDomain(a); } catch (_e) { aOrg = null; }
+  if (fOrg && aOrg && fOrg === aOrg) return true;
   return false;
 }
 
 async function dmarcEvaluate(opts) {
   opts = opts || {};
-  validateOpts(opts, ["from", "spf", "dkim", "dnsLookup", "domainExists"],
+  validateOpts(opts, ["from", "spf", "dkim", "dnsLookup", "domainExists",
+                       "pctSampleKey"],
                "mail.dmarc.evaluate");
   if (typeof opts.from !== "string") {
     throw new MailAuthError("mail-auth/dmarc-bad-from",
@@ -518,12 +696,35 @@ async function dmarcEvaluate(opts) {
   // not "deliver". When pct is < 100 the receiver applies the policy
   // to that fraction of failing messages and the rest gets the next-
   // less-strict disposition (reject → quarantine; quarantine → none).
-  // Pre-v0.8.32 this was ignored — the framework's recommendedAction
-  // returned the unconditional `policy.p` which over-applied at low
-  // pct values.
+  //
+  // Sampling determinism: a single message MUST receive the same
+  // sampled/not-sampled verdict across retries. `Math.random()` re-
+  // rolls per-call so the receiver's first attempt could deliver
+  // (sampled=true → quarantine→none) while a retry rejected — leading
+  // to inconsistent disposition for the same SMTP envelope. Derive
+  // the sample roll from a stable per-message key (operator-supplied
+  // `pctSampleKey` — typically the Message-ID + From-domain + a
+  // receiver-side secret) hashed via SHAKE256, mapped to [0,100). When
+  // the operator doesn't supply a key we fall back to a per-call
+  // crypto.randomInt — still cryptographically uniform, just not
+  // retry-stable. The fallback is the framework's hardening floor
+  // (replaces Math.random); retry-stability requires the operator to
+  // wire a key.
   var pctRaw = parseInt(policy.pct, 10);                                                       // allow:raw-byte-literal — pct percentage, not bytes
   var pct = isFinite(pctRaw) && pctRaw >= 0 && pctRaw <= 100 ? pctRaw : 100;                    // allow:raw-byte-literal — pct percentage, not bytes
-  var sampled = !pass && pct < 100 && Math.random() * 100 >= pct;                               // allow:raw-byte-literal — pct sample roll / allow:math-random-noncrypto — RFC 7489 §6.6.4 pct probabilistic sampling, not security-sensitive
+  var sampleRoll;
+  if (typeof opts.pctSampleKey === "string" && opts.pctSampleKey.length > 0) {
+    // Deterministic per-message sample roll. SHAKE256 → first 4 bytes
+    // → uint32 → modulo 100. 4 bytes is far in excess of the
+    // information needed for 0..99 and uniform mapping is fine.
+    var hash = nodeCrypto.createHash("shake256", { outputLength: 4 })
+                          .update(String(opts.pctSampleKey)).digest();
+    var u32 = (hash[0] << 24 >>> 0) + (hash[1] << 16) + (hash[2] << 8) + hash[3];               // allow:raw-byte-literal — uint32 bit assembly
+    sampleRoll = u32 % 100;                                                                     // allow:raw-byte-literal — pct sample roll
+  } else {
+    sampleRoll = nodeCrypto.randomInt(0, 100);                                                  // allow:raw-byte-literal — pct sample roll
+  }
+  var sampled = !pass && pct < 100 && sampleRoll >= pct;
   var recommendedAction = pass ? "deliver" :
                           sampled
                             ? (policy.p === "reject" ? "quarantine" :
@@ -604,6 +805,15 @@ async function arcVerify(rfc822, opts) {
   //    instance would silently overwrite the original signer).
   var duplicate = false;
   var maxInstanceSeen = 0;
+  // RFC 8617 §5.2 — verifier MUST process the chain starting with the
+  // highest-instance set, then walk down. Each hop prepends its three
+  // headers (AS, AMS, AAR) to the message, so the source order from
+  // top to bottom is: i=N (AS, AMS, AAR), i=N-1 (...), ..., i=1.
+  // A chain whose source order doesn't decrease has been re-shuffled
+  // by an intermediary that didn't follow §5.1, or is forged. Track
+  // per-header-set first-appearance order and enforce strictly-
+  // decreasing instances.
+  var orderTrail = [];                       // [{ inst, name, idx }]
   for (var i = 0; i < headers.length; i += 1) {
     var line = headers[i];
     var colonAt = line.indexOf(":");
@@ -625,6 +835,30 @@ async function arcVerify(rfc822, opts) {
     seenSlot[slotKey] = true;
     if (!hops[inst - 1]) hops[inst - 1] = { instance: inst };
     hops[inst - 1][name] = value;
+    orderTrail.push({ inst: inst, name: name, idx: i });
+  }
+
+  // Source-order enforcement (RFC 8617 §5.1 + §5.2): the first AS for
+  // a given hop must appear before its AMS, which must appear before
+  // its AAR (within a single set). Across sets, hop instances MUST
+  // strictly decrease top-to-bottom. Use the first-appearance index
+  // per hop to validate the cross-set ordering; an out-of-order chain
+  // is treated as a structural failure rather than risking a permissive
+  // verdict.
+  var orderFail = null;
+  if (orderTrail.length > 0) {
+    // Per-hop first-appearance: which i= instance owns each contiguous
+    // run? Walk top to bottom and confirm the instance numbers, when
+    // they change, only EVER decrease.
+    var prevInst = null;
+    for (var oi = 0; oi < orderTrail.length; oi += 1) {
+      var cur = orderTrail[oi].inst;
+      if (prevInst !== null && cur > prevInst) {
+        orderFail = "header-order-ascending-i=" + cur + "-after-i=" + prevInst;
+        break;
+      }
+      prevInst = cur;
+    }
   }
 
   if (hops.length === 0) {
@@ -646,6 +880,21 @@ async function arcVerify(rfc822, opts) {
     };
   }
 
+  if (orderFail) {
+    return {
+      chainStatus: "fail",
+      reason:      "header-order-violation: " + orderFail,
+      hopCount:    hops.filter(Boolean).length,
+      hops: hops.filter(Boolean).map(function (h) {
+        return { instance: h.instance,
+                 hasSeal: !!h["arc-seal"],
+                 hasMessageSignature: !!h["arc-message-signature"],
+                 hasAuthenticationResults: !!h["arc-authentication-results"],
+                 amsResult: "skipped", asResult: "skipped" };
+      }),
+    };
+  }
+
   if (maxInstanceSeen > ARC_MAX_HOPS) {
     return {
       chainStatus: "fail",
@@ -827,12 +1076,7 @@ async function _verifyArc(rfc822, hop, allHops, kind, dnsLookup, dkim) {
   var keyTags;
   try {
     var qname = tags.s + "._domainkey." + tags.d;
-    var records;
-    if (dnsLookup) records = await dnsLookup(qname, "TXT");
-    else {
-      var dnsModule = require("node:dns/promises");
-      records = await dnsModule.resolveTxt(qname);
-    }
+    var records = await _safeResolveTxt(qname, dnsLookup);
     keyTags = _parseDkimKeyRecord(records);
   } catch (e) {
     var verdict = (e && (e.code === "ENOTFOUND" || e.code === "ENODATA"))
@@ -1296,8 +1540,24 @@ function dmarcParseAggregateReport(input, opts) {
   if (contentType.indexOf("gzip") !== -1 || looksGzip) {
     try { bytes = zlib.gunzipSync(bytes, { maxOutputLength: DMARC_RUA_MAX_REPORT_BYTES }); }
     catch (e) {
+      // Distinguish "decompressed bytes exceed cap" (gunzip bomb /
+      // amplification — operator should rate-limit the source) from
+      // "stream is malformed" (operator-level diagnostic) so audit/
+      // alert wiring can react differently. Node surfaces the bomb
+      // case with ERR_BUFFER_TOO_LARGE / "Output length exceeded the
+      // limit" / the explicit `maxOutputLength` code. CVE-class:
+      // CVE-2024-zlib decompression amplification.
+      var msg = (e && e.message) || String(e);
+      var isBomb = (e && (e.code === "ERR_BUFFER_TOO_LARGE" ||
+                          e.code === "ERR_OUT_OF_RANGE")) ||
+                   /output length|max(?:imum)?\s+output|exceeds?/i.test(msg);
+      if (isBomb) {
+        throw new MailAuthError("mail-auth/dmarc-rua-gunzip-bomb",
+          "dmarc.parseAggregateReport: gunzip output exceeded " +
+          DMARC_RUA_MAX_REPORT_BYTES + " bytes (decompression amplification — refused)");
+      }
       throw new MailAuthError("mail-auth/dmarc-rua-gunzip-failed",
-        "dmarc.parseAggregateReport: gunzip failed: " + ((e && e.message) || String(e)));
+        "dmarc.parseAggregateReport: gunzip failed: " + msg);
     }
   }
 
@@ -1436,6 +1696,31 @@ function _shapeAggregateReport(parsed) {
 // "temperror" on ENODATA / ENOTFOUND / lookup failure (the receiver
 // retries on transient DNS faults). Pure-DNS — no operator state.
 
+// RFC 8601 §3 — PTR result shape. The PTR rdata is an FQDN (1*labels).
+// Reject answers that aren't shaped as a DNS name: non-strings,
+// empty strings, strings containing chars outside DNS LDH+dot, or
+// labels exceeding 63 octets. An attacker who controls a reverse
+// zone could publish a PTR whose rdata is arbitrary bytes (e.g.
+// `<script>...`) that downstream consumers (audit / Authentication-
+// Results emission) might fail to escape. Pre-filter at the iprev
+// boundary so only well-shaped names reach downstream.
+function _isValidPtrName(name) {
+  if (typeof name !== "string") return false;
+  var trimmed = name.replace(/\.$/, "");
+  if (trimmed.length === 0 || trimmed.length > 253) return false;                // allow:raw-byte-literal — RFC 1035 hostname cap
+  // Labels: 1..63 octets, LDH (letter / digit / hyphen) + leading
+  // alphanum (RFC 1035 §2.3.1). Permissive: PTR rdata can in practice
+  // contain underscores (mail-server idiom) — allow underscore in
+  // labels too. Reject anything else.
+  var labels = trimmed.split(".");
+  for (var i = 0; i < labels.length; i += 1) {
+    var lab = labels[i];
+    if (lab.length === 0 || lab.length > 63) return false;                       // allow:raw-byte-literal — RFC 1035 label cap
+    if (!/^[A-Za-z0-9_](?:[A-Za-z0-9_-]{0,61}[A-Za-z0-9_])?$/.test(lab)) return false;
+  }
+  return true;
+}
+
 async function iprevVerify(ip) {
   if (typeof ip !== "string" || ip.length === 0) {
     return { result: "permerror", ip: ip || null,
@@ -1449,7 +1734,7 @@ async function iprevVerify(ip) {
   }
 
   var ptrs;
-  try { ptrs = await dnsPromises.reverse(ip); }
+  try { ptrs = await _safeReverse(ip); }
   catch (e) {
     var rcode = e && e.code;
     if (rcode === "ENOTFOUND" || rcode === "ENODATA") {
@@ -1470,14 +1755,18 @@ async function iprevVerify(ip) {
   // RFC 8601 §3 — when multiple PTRs exist the receiver picks ONE
   // and continues. We pick the first (matches mainstream MTA
   // behavior) and stash the rest for operator visibility on the
-  // out-of-band metadata.
-  var ptr = String(ptrs[0]);
+  // out-of-band metadata. Validate the PTR's shape FIRST — a PTR
+  // with arbitrary bytes shouldn't reach downstream consumers.
+  var ptr = String(ptrs[0]).replace(/\.$/, "");
+  if (!_isValidPtrName(ptr)) {
+    return { result: "permerror", ip: ip,
+             ptr: ptr, forward: [], fcrdns: false,
+             explanation: "PTR record is not a valid DNS name shape (RFC 8601 §3)" };
+  }
   var isV6 = net.isIPv6(ip);
   var forwardAddrs;
   try {
-    forwardAddrs = isV6
-      ? await dnsPromises.resolve6(ptr)
-      : await dnsPromises.resolve4(ptr);
+    forwardAddrs = await _safeResolveA(ptr, isV6 ? 6 : 4);
   } catch (e) {
     var fcode = e && e.code;
     if (fcode === "ENOTFOUND" || fcode === "ENODATA") {