blackveil-dns 2.0.6 → 2.0.9

package/README.md

@@ -59,7 +59,7 @@ Transport support:
 ## What you get
 
 - **57+ checks across 20 categories** — SPF, DMARC, DKIM, DNSSEC, SSL/TLS, MTA-STS, NS, CAA, MX, BIMI, TLS-RPT, subdomain takeover, lookalike domains, HTTP security headers, DANE, shadow domains, TXT hygiene, MX reputation, SRV, zone hygiene
-- **Maturity staging** — Stage 0-4 classification (Unprotected to Hardened) with next steps
+- **Maturity staging** — Stage 0-4 classification (Unprotected to Hardened) with score-based capping to prevent inflated labels
 - **Trust surface analysis** — detects shared SaaS platforms (Google, M365, SendGrid) and cross-references DMARC enforcement to determine real exposure
 - **Guided remediation** — `generate_fix_plan` produces prioritized actions; record generators output ready-to-publish SPF, DMARC, DKIM, and MTA-STS records
 - **Spoofability scoring** — `assess_spoofability` computes a composite 0-100 email spoofability score from SPF trust surface, DMARC enforcement, and DKIM coverage with interaction multipliers
@@ -209,8 +209,9 @@ claude mcp add --transport http blackveil-dns https://dns-mcp.blackveilsecurity.
 {
   "mcpServers": {
     "blackveil-dns": {
-      "command": "npx",
+      "command": "/opt/homebrew/bin/npx",
       "args": [
+        "-y",
         "mcp-remote",
         "https://dns-mcp.blackveilsecurity.com/mcp",
         "--header",
@@ -270,6 +271,13 @@ claude mcp add-json blackveil-dns \
 
 > On macOS GUI apps, `npx` may not resolve from `PATH`; if Homebrew is installed elsewhere, replace `/opt/homebrew/bin/npx` with your actual `npx` path. After editing the config, fully restart Claude Desktop. If you already have other servers, merge `"blackveil-dns"` into your existing `"mcpServers"` object — don't paste a second `{ }` wrapper.
 
+If you operate this Worker with bearer auth enabled, also register the same value as the production Worker secret:
+
+```bash
+npx wrangler versions secret put BV_API_KEY -c .dev/wrangler.deploy.jsonc
+npx wrangler versions deploy -c .dev/wrangler.deploy.jsonc --yes
+```
+
 </details>
 
 <details>

package/dist/index.d.ts

@@ -159,7 +159,7 @@ declare function sanitizeDomain(input: string): string;
 declare function sanitizeInput(input: string, maxLength?: number): string;
 
 /** Server version — keep in sync with package.json */
-declare const SERVER_VERSION = "2.0.6";
+declare const SERVER_VERSION = "2.0.9";
 
 /**
  * Check BIMI records for a domain.

package/dist/index.js

@@ -388,11 +388,11 @@ function createFinding(category, title, severity, detail, metadata) {
 }
 var PROFILE_WEIGHTS = {
   mail_enabled: {
-    // Core (sum=52)
+    // Core (sum=54)
     spf: { importance: 10 },
     dmarc: { importance: 16 },
     dkim: { importance: 10 },
-    dnssec: { importance: 8 },
+    dnssec: { importance: 10 },
     ssl: { importance: 8 },
     // Protective (sum=20)
     subdomain_takeover: { importance: 4 },
@@ -415,11 +415,11 @@ var PROFILE_WEIGHTS = {
     zone_hygiene: { importance: 0 }
   },
   enterprise_mail: {
-    // Core (sum=58)
+    // Core (sum=63)
     spf: { importance: 10 },
-    dmarc: { importance: 18 },
+    dmarc: { importance: 20 },
     dkim: { importance: 12 },
-    dnssec: { importance: 10 },
+    dnssec: { importance: 13 },
     ssl: { importance: 8 },
     // Protective (sum=22)
     subdomain_takeover: { importance: 5 },
@@ -442,12 +442,12 @@ var PROFILE_WEIGHTS = {
     zone_hygiene: { importance: 0 }
   },
   non_mail: {
-    // Core (sum=19)
+    // Core (sum=29)
     spf: { importance: 2 },
-    dmarc: { importance: 2 },
-    dkim: { importance: 1 },
-    dnssec: { importance: 8 },
-    ssl: { importance: 8 },
+    dmarc: { importance: 3 },
+    dkim: { importance: 2 },
+    dnssec: { importance: 12 },
+    ssl: { importance: 10 },
     // Protective (sum=24)
     subdomain_takeover: { importance: 6 },
     http_security: { importance: 6 },
@@ -469,12 +469,12 @@ var PROFILE_WEIGHTS = {
     zone_hygiene: { importance: 0 }
   },
   web_only: {
-    // Core (sum=20)
+    // Core (sum=28)
     spf: { importance: 0 },
     dmarc: { importance: 0 },
     dkim: { importance: 0 },
-    dnssec: { importance: 8 },
-    ssl: { importance: 12 },
+    dnssec: { importance: 14 },
+    ssl: { importance: 14 },
     // Protective (sum=24)
     subdomain_takeover: { importance: 6 },
     http_security: { importance: 8 },
@@ -496,12 +496,12 @@ var PROFILE_WEIGHTS = {
     zone_hygiene: { importance: 0 }
   },
   minimal: {
-    // Core (sum=10)
+    // Core (sum=15)
     spf: { importance: 1 },
     dmarc: { importance: 1 },
     dkim: { importance: 1 },
-    dnssec: { importance: 3 },
-    ssl: { importance: 4 },
+    dnssec: { importance: 5 },
+    ssl: { importance: 7 },
     // Protective (sum=10)
     subdomain_takeover: { importance: 2 },
     http_security: { importance: 2 },
@@ -524,11 +524,11 @@ var PROFILE_WEIGHTS = {
   }
 };
 var PROFILE_CRITICAL_CATEGORIES = {
-  mail_enabled: ["spf", "dmarc", "dkim", "ssl", "dnssec"],
-  enterprise_mail: ["spf", "dmarc", "dkim", "ssl", "dnssec"],
+  mail_enabled: ["spf", "dmarc", "dkim", "ssl", "dnssec", "subdomain_takeover"],
+  enterprise_mail: ["spf", "dmarc", "dkim", "ssl", "dnssec", "subdomain_takeover"],
   non_mail: ["ssl", "dnssec", "http_security", "subdomain_takeover", "dane_https"],
   web_only: ["ssl", "dnssec", "http_security", "subdomain_takeover", "dane_https"],
-  minimal: ["ssl", "dnssec"]
+  minimal: ["ssl", "dnssec", "subdomain_takeover"]
 };
 var PROFILE_EMAIL_BONUS_ELIGIBLE = {
   mail_enabled: true,
@@ -634,7 +634,7 @@ function getProfileWeights(profile, config) {
 }
 var DEFAULT_SCORING_CONFIG = {
   tierSplit: { core: 70, protective: 20, hardening: 10 },
-  coreWeights: { dmarc: 16, dkim: 10, spf: 10, dnssec: 8, ssl: 8 },
+  coreWeights: { dmarc: 16, dkim: 10, spf: 10, dnssec: 10, ssl: 8 },
   protectiveWeights: {
     subdomain_takeover: 4,
     http_security: 3,
@@ -663,21 +663,142 @@ var DEFAULT_SCORING_CONFIG = {
     dPlus: 56,
     d: 50
   }};
+var DEFAULT_EMAIL_BONUS_KEYS = {
+  spf: "spf",
+  dkim: "dkim",
+  dmarc: "dmarc"
+};
 function clampPercent(score) {
   return Math.max(0, Math.min(100, score));
 }
-function computeProviderConfidenceModifier(findings) {
-  const confidences = [];
-  for (const finding of findings) {
-    const confidence = finding.metadata?.providerConfidence;
-    if (typeof confidence === "number" && Number.isFinite(confidence)) {
-      confidences.push(Math.max(0, Math.min(1, confidence)));
+function computeProviderModifier(providerConfidence) {
+  if (!providerConfidence) return 0;
+  const values = Object.values(providerConfidence).filter(
+    (v) => typeof v === "number" && Number.isFinite(v)
+  );
+  if (values.length === 0) return 0;
+  const clamped = values.map((v) => Math.max(0, Math.min(1, v)));
+  const avg = clamped.reduce((sum, v) => sum + v, 0) / clamped.length;
+  const centered = avg - 0.5;
+  return Math.round(centered * 10);
+}
+function computeGenericScore(input, config) {
+  const cfg = config ?? DEFAULT_SCORING_CONFIG;
+  const tierSplit = cfg.tierSplit;
+  const thresholds = cfg.thresholds;
+  const transient = input.transientFailures ?? {};
+  const emailKeys = input.emailBonusKeys ?? DEFAULT_EMAIL_BONUS_KEYS;
+  const coreWeights = {};
+  const protectiveWeights = {};
+  const hardeningKeys = [];
+  for (const [key, tier] of Object.entries(input.tierMap)) {
+    if (transient[key]) continue;
+    const weight = input.weights[key] ?? 0;
+    if (tier === "core") {
+      coreWeights[key] = weight;
+    } else if (tier === "protective") {
+      protectiveWeights[key] = weight;
+    } else if (tier === "hardening") {
+      hardeningKeys.push(key);
+    }
+  }
+  const coreMax = Object.values(coreWeights).reduce((sum, w) => sum + w, 0);
+  let coreEarned = 0;
+  for (const [key, weight] of Object.entries(coreWeights)) {
+    if (weight === 0) continue;
+    const rawScore = clampPercent(input.categoryScores[key] ?? 100);
+    const effectiveScore = input.missingControls[key] ? 0 : rawScore;
+    coreEarned += effectiveScore / 100 * weight;
+  }
+  const corePct = coreMax > 0 ? coreEarned / coreMax : 1;
+  const corePoints = corePct * tierSplit.core;
+  const protectiveMax = Object.values(protectiveWeights).reduce((sum, w) => sum + w, 0);
+  let protectiveEarned = 0;
+  for (const [key, weight] of Object.entries(protectiveWeights)) {
+    if (weight === 0) continue;
+    const rawScore = clampPercent(input.categoryScores[key] ?? 100);
+    protectiveEarned += rawScore / 100 * weight;
+  }
+  const protectivePct = protectiveMax > 0 ? protectiveEarned / protectiveMax : 1;
+  const protectivePoints = protectivePct * tierSplit.protective;
+  const submittedHardeningKeys = hardeningKeys.filter((key) => key in input.hardeningPassed);
+  const passedCount = submittedHardeningKeys.filter((key) => input.hardeningPassed[key]).length;
+  const hardeningPoints = submittedHardeningKeys.length > 0 ? passedCount / submittedHardeningKeys.length * tierSplit.hardening : 0;
+  const base = corePoints + protectivePoints + hardeningPoints;
+  let emailBonus = 0;
+  if (input.emailBonusEligible) {
+    const spfKey = emailKeys.spf;
+    const dkimKey = emailKeys.dkim;
+    const dmarcKey = emailKeys.dmarc;
+    const spfScore = input.categoryScores[spfKey] ?? 0;
+    const spfStrong = !input.missingControls[spfKey] && spfScore >= thresholds.spfStrongThreshold;
+    const dkimNotMissing = !input.missingControls[dkimKey];
+    const dmarcScore = input.categoryScores[dmarcKey];
+    const dmarcPresent = dmarcScore !== void 0 && !input.missingControls[dmarcKey];
+    if (spfStrong && dkimNotMissing && dmarcPresent) {
+      if (dmarcScore >= 90) {
+        emailBonus = thresholds.emailBonusFull;
+      } else if (dmarcScore >= 70) {
+        emailBonus = thresholds.emailBonusMid;
+      } else {
+        emailBonus = thresholds.emailBonusPartial;
+      }
     }
   }
-  if (confidences.length === 0) return 0;
-  const avgConfidence = confidences.reduce((sum, value) => sum + value, 0) / confidences.length;
-  const centered = avgConfidence - 0.5;
-  return Math.round(centered * 10);
+  const providerModifier = computeProviderModifier(input.providerConfidence);
+  const counts = input.findingSeverityCounts;
+  const criticalPenalty = counts && counts.critical > 0 ? thresholds.criticalOverallPenalty : 0;
+  const preCeiling = clampPercent(Math.round(base) + emailBonus + providerModifier - criticalPenalty);
+  const criticalGaps = [];
+  for (const key of input.criticalCategories) {
+    if (input.missingControls[key]) {
+      criticalGaps.push(key);
+    }
+  }
+  const overall = criticalGaps.length > 0 ? Math.min(preCeiling, thresholds.criticalGapCeiling) : preCeiling;
+  const grade = scoreToGrade(overall, config);
+  const summary = buildSummary(counts, grade);
+  const filledScores = {};
+  for (const key of Object.keys(input.tierMap)) {
+    filledScores[key] = input.categoryScores[key] ?? 100;
+  }
+  for (const key of Object.keys(input.categoryScores)) {
+    if (!(key in filledScores)) {
+      filledScores[key] = input.categoryScores[key];
+    }
+  }
+  return {
+    overall,
+    grade,
+    categoryScores: filledScores,
+    summary,
+    tierBreakdown: {
+      core: corePoints,
+      protective: protectivePoints,
+      hardening: hardeningPoints
+    },
+    emailBonus,
+    criticalGaps,
+    providerModifier,
+    criticalPenalty
+  };
+}
+function buildSummary(counts, grade) {
+  if (!counts) {
+    return `Excellent! No security issues found. Grade: ${grade}`;
+  }
+  const { critical, high, medium, low } = counts;
+  const totalNonInfo = critical + high + medium + low;
+  if (totalNonInfo === 0) {
+    return `Excellent! No security issues found. Grade: ${grade}`;
+  }
+  if (critical > 0) {
+    return `${critical} critical issue(s) found requiring immediate attention. Grade: ${grade}`;
+  }
+  if (high > 0) {
+    return `${high} high-severity issue(s) found. Grade: ${grade}`;
+  }
+  return `${totalNonInfo} issue(s) found. Grade: ${grade}`;
 }
 function scoreToGrade(score, config) {
   const g = config?.grades ?? DEFAULT_SCORING_CONFIG.grades;
@@ -692,6 +813,75 @@ function scoreToGrade(score, config) {
   return "F";
 }
 var DEFAULT_CRITICAL_CATEGORIES = ["spf", "dmarc", "dkim", "ssl"];
+function buildGenericContext(results, categoryScores, allFindings, context, config) {
+  const weights = {};
+  if (context) {
+    for (const category of Object.keys(context.weights)) {
+      weights[category] = context.weights[category].importance;
+    }
+  } else {
+    for (const [key, value] of Object.entries(config.coreWeights)) {
+      weights[key] = value;
+    }
+    for (const [key, value] of Object.entries(config.protectiveWeights)) {
+      weights[key] = value;
+    }
+    for (const cat of Object.keys(CATEGORY_TIERS)) {
+      if (CATEGORY_TIERS[cat] === "hardening" && !(cat in weights)) {
+        weights[cat] = 0;
+      }
+    }
+  }
+  const missingControls = {};
+  const resultMap = /* @__PURE__ */ new Map();
+  for (const result of results) {
+    resultMap.set(result.category, result);
+    if (scoreIndicatesMissingControl(result.findings)) {
+      missingControls[result.category] = true;
+    }
+  }
+  const hardeningPassed = {};
+  for (const cat of Object.keys(CATEGORY_TIERS)) {
+    if (CATEGORY_TIERS[cat] === "hardening") {
+      const result = resultMap.get(cat);
+      hardeningPassed[cat] = !!(result && result.passed);
+    }
+  }
+  const providerConfidence = {};
+  for (const finding of allFindings) {
+    const confidence = finding.metadata?.providerConfidence;
+    if (typeof confidence === "number" && Number.isFinite(confidence)) {
+      const key = `_finding_${Object.keys(providerConfidence).length}`;
+      providerConfidence[key] = confidence;
+    }
+  }
+  const verifiedCriticalCount = allFindings.filter(
+    (f) => f.severity === "critical" && inferFindingConfidence(f) === "verified"
+  ).length;
+  const findingSeverityCounts = {
+    critical: verifiedCriticalCount,
+    high: allFindings.filter((f) => f.severity === "high").length,
+    medium: allFindings.filter((f) => f.severity === "medium").length,
+    low: allFindings.filter((f) => f.severity === "low").length,
+    info: allFindings.filter((f) => f.severity === "info").length
+  };
+  const criticalCategories = context ? PROFILE_CRITICAL_CATEGORIES[context.profile] : DEFAULT_CRITICAL_CATEGORIES;
+  let emailBonusEligible = context ? PROFILE_EMAIL_BONUS_ELIGIBLE[context.profile] : true;
+  if (!resultMap.has("spf") || !resultMap.has("dmarc")) {
+    emailBonusEligible = false;
+  }
+  return {
+    categoryScores: { ...categoryScores },
+    tierMap: { ...CATEGORY_TIERS },
+    weights,
+    missingControls,
+    hardeningPassed,
+    criticalCategories: [...criticalCategories],
+    emailBonusEligible,
+    providerConfidence: Object.keys(providerConfidence).length > 0 ? providerConfidence : void 0,
+    findingSeverityCounts
+  };
+}
 function computeScanScore(results, context, config) {
   const partialScores = {};
   const allFindings = [];
@@ -700,10 +890,6 @@ function computeScanScore(results, context, config) {
   }
   const categoryScores = partialScores;
   const cfg = config ?? DEFAULT_SCORING_CONFIG;
-  const tierSplit = cfg.tierSplit;
-  const spfStrongThreshold = cfg.thresholds.spfStrongThreshold;
-  const criticalOverallPenalty = cfg.thresholds.criticalOverallPenalty;
-  const criticalGapCeiling = cfg.thresholds.criticalGapCeiling;
   if (results.length === 0) {
     return {
       overall: 100,
@@ -717,102 +903,24 @@ function computeScanScore(results, context, config) {
     categoryScores[result.category] = result.score;
     allFindings.push(...result.findings);
   }
-  const activeCoreWeights = {};
-  const activeProtectiveWeights = {};
-  if (context) {
-    for (const category of Object.keys(context.weights)) {
-      const tier = CATEGORY_TIERS[category];
-      const weight = context.weights[category].importance;
-      if (tier === "core") {
-        activeCoreWeights[category] = weight;
-      } else if (tier === "protective") {
-        activeProtectiveWeights[category] = weight;
-      }
-    }
-  } else {
-    Object.assign(activeCoreWeights, cfg.coreWeights);
-    Object.assign(activeProtectiveWeights, cfg.protectiveWeights);
-  }
-  const coreMax = Object.values(activeCoreWeights).reduce((sum, w) => sum + w, 0);
-  let coreEarned = 0;
-  for (const [category, weight] of Object.entries(activeCoreWeights)) {
-    if (weight === 0) continue;
-    const cat = category;
-    const result = results.find((r) => r.category === cat);
-    const rawScore = result ? clampPercent(result.score) : 100;
-    const effectiveScore = result && scoreIndicatesMissingControl(result.findings) ? 0 : rawScore;
-    coreEarned += effectiveScore / 100 * weight;
-  }
-  const corePct = coreMax > 0 ? coreEarned / coreMax : 1;
-  const protectiveMax = Object.values(activeProtectiveWeights).reduce((sum, w) => sum + w, 0);
-  let protectiveEarned = 0;
-  for (const [category, weight] of Object.entries(activeProtectiveWeights)) {
-    if (weight === 0) continue;
-    const cat = category;
-    const result = results.find((r) => r.category === cat);
-    const rawScore = result ? clampPercent(result.score) : 100;
-    protectiveEarned += rawScore / 100 * weight;
-  }
-  const protectivePct = protectiveMax > 0 ? protectiveEarned / protectiveMax : 1;
-  const hardeningCategories = Object.keys(CATEGORY_TIERS).filter(
-    (cat) => CATEGORY_TIERS[cat] === "hardening"
-  );
-  const hardeningCount = hardeningCategories.length;
-  let passedHardeningCount = 0;
-  for (const cat of hardeningCategories) {
-    const result = results.find((r) => r.category === cat);
-    if (result && result.passed) {
-      passedHardeningCount++;
-    }
-  }
-  const hardeningPts = hardeningCount > 0 ? passedHardeningCount / hardeningCount * tierSplit.hardening : 0;
-  const base = corePct * tierSplit.core + protectivePct * tierSplit.protective + hardeningPts;
-  const emailBonusEligible = context ? PROFILE_EMAIL_BONUS_ELIGIBLE[context.profile] : true;
-  const spfResult = results.find((result) => result.category === "spf");
-  const dkimResult = results.find((result) => result.category === "dkim");
-  const dmarcResult = results.find((result) => result.category === "dmarc");
-  const spfStrong = !!spfResult && !scoreIndicatesMissingControl(spfResult.findings) && spfResult.score >= spfStrongThreshold;
-  const dkimNotDeterministicallyMissing = !dkimResult || !scoreIndicatesMissingControl(dkimResult.findings);
-  const dmarcPresent = !!dmarcResult && !scoreIndicatesMissingControl(dmarcResult.findings);
-  let emailBonus = 0;
-  if (emailBonusEligible && spfStrong && dkimNotDeterministicallyMissing && dmarcPresent && dmarcResult) {
-    if (dmarcResult.score >= 90) {
-      emailBonus = cfg.thresholds.emailBonusFull;
-    } else if (dmarcResult.score >= 70) {
-      emailBonus = cfg.thresholds.emailBonusMid;
-    } else {
-      emailBonus = cfg.thresholds.emailBonusPartial;
-    }
-  }
-  const providerModifier = computeProviderConfidenceModifier(allFindings);
-  const verifiedCriticalCount = allFindings.filter(
-    (finding) => finding.severity === "critical" && inferFindingConfidence(finding) === "verified"
-  ).length;
-  const criticalPenalty = verifiedCriticalCount > 0 ? criticalOverallPenalty : 0;
-  const preCeiling = clampPercent(Math.round(base) + emailBonus + providerModifier - criticalPenalty);
-  const criticalCategories = context ? PROFILE_CRITICAL_CATEGORIES[context.profile] : DEFAULT_CRITICAL_CATEGORIES;
-  const hasCriticalGap = criticalCategories.some((cat) => {
-    const result = results.find((r) => r.category === cat);
-    return result && scoreIndicatesMissingControl(result.findings);
-  });
-  const overall = hasCriticalGap ? Math.min(preCeiling, criticalGapCeiling) : preCeiling;
-  const grade = scoreToGrade(overall, config);
-  const criticalCount = allFindings.filter((finding) => finding.severity === "critical").length;
-  const highCount = allFindings.filter((finding) => finding.severity === "high").length;
-  const totalIssues = allFindings.filter((finding) => finding.severity !== "info").length;
+  const genericContext = buildGenericContext(results, categoryScores, allFindings, context, cfg);
+  const genericResult = computeGenericScore(genericContext, config);
+  const criticalCount = allFindings.filter((f) => f.severity === "critical").length;
+  const highCount = allFindings.filter((f) => f.severity === "high").length;
+  const totalIssues = allFindings.filter((f) => f.severity !== "info").length;
   let summary;
   if (totalIssues === 0) {
-    summary = `Excellent! No security issues found. Grade: ${grade}`;
+    summary = `Excellent! No security issues found. Grade: ${genericResult.grade}`;
   } else if (criticalCount > 0) {
-    summary = `${criticalCount} critical issue(s) found requiring immediate attention. Grade: ${grade}`;
+    summary = `${criticalCount} critical issue(s) found requiring immediate attention. Grade: ${genericResult.grade}`;
   } else if (highCount > 0) {
-    summary = `${highCount} high-severity issue(s) found. Grade: ${grade}`;
+    summary = `${highCount} high-severity issue(s) found. Grade: ${genericResult.grade}`;
   } else {
-    summary = `${totalIssues} issue(s) found. Grade: ${grade}`;
+    summary = `${totalIssues} issue(s) found. Grade: ${genericResult.grade}`;
   }
   return {
-    overall,
-    grade,
+    overall: genericResult.overall,
+    grade: genericResult.grade,
     categoryScores,
     findings: allFindings,
     summary
@@ -1017,7 +1125,7 @@ function sanitizeInput(input, maxLength = 500) {
 }
 
 // src/lib/server-version.ts
-var SERVER_VERSION = "2.0.6";
+var SERVER_VERSION = "2.0.9";
 
 // packages/dns-checks/dist/index.js
 var SEVERITY_PENALTIES2 = {
@@ -5757,7 +5865,8 @@ function isPlainObject(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 function sanitizeString(value) {
-  return value.length > MAX_LOG_STRING_LENGTH ? `${value.slice(0, MAX_LOG_STRING_LENGTH)}...` : value;
+  const stripped = value.replace(/[\x00-\x08\x0a-\x1f\x7f]/g, " ");
+  return stripped.length > MAX_LOG_STRING_LENGTH ? `${stripped.slice(0, MAX_LOG_STRING_LENGTH)}...` : stripped;
 }
 function sanitizeLogValue(value, key) {
   if (key && isSensitiveKey(key)) {
@@ -6124,8 +6233,8 @@ async function checkApexDmarcPolicy(domain) {
   }
 }
 function isMissingRecordFinding(finding) {
-  const text = `${finding.title} ${finding.detail}`.toLowerCase();
-  return /(no\s+.+\s+record|missing|not\s+found|no\s+mta-sts|no\s+dkim)/.test(text);
+  const title = finding.title.toLowerCase();
+  return title.includes("missing") || title.includes("not found") || title.includes("no mta-sts") || title.includes("no dkim") || /^no\s+\S+\s+record/.test(title);
 }
 function clarifyMtaStsForMailDomain(domain, results) {
   return results.map((result) => {