dns-security-mcp 0.1.0

package/dist/email/index.js

@@ -0,0 +1,1188 @@
+import { z } from "zod";
+import { json } from "../types/index.js";
+import { createResolver, queryRaw } from "../utils/dns-client.js";
+import { DKIM_SELECTORS } from "../data/dkim-selectors.js";
+import * as dns from "node:dns/promises";
+// ─── SPF Check Logic ───
+async function checkSpf(domain) {
+    const resolver = createResolver();
+    const findings = [];
+    let spfRecord = null;
+    const mechanisms = [];
+    let allQualifier = null;
+    let dnsLookups = 0;
+    const includes = [];
+    try {
+        const txtRecords = await resolver.resolveTxt(domain);
+        const spfRecords = txtRecords
+            .map((r) => r.join(""))
+            .filter((r) => r.toLowerCase().startsWith("v=spf1"));
+        if (spfRecords.length === 0) {
+            findings.push({
+                severity: "critical",
+                title: "No SPF record found",
+                description: `Domain ${domain} has no SPF record. Any server can send email claiming to be from this domain.`,
+                remediation: "Add a TXT record with a valid SPF policy, e.g. \"v=spf1 mx -all\"",
+            });
+            return { found: false, record: null, mechanisms, allQualifier, dnsLookups, includes, findings };
+        }
+        if (spfRecords.length > 1) {
+            findings.push({
+                severity: "high",
+                title: "Multiple SPF records found",
+                description: `Domain ${domain} has ${spfRecords.length} SPF records. RFC 7208 Section 3.2 requires exactly one SPF record; multiple records cause undefined behavior.`,
+                remediation: "Merge all SPF records into a single TXT record.",
+            });
+        }
+        spfRecord = spfRecords[0];
+        const parts = spfRecord.split(/\s+/).slice(1); // skip "v=spf1"
+        for (const part of parts) {
+            let qualifier = "+";
+            let mechanism = part;
+            if (/^[+\-~?]/.test(mechanism)) {
+                qualifier = mechanism[0];
+                mechanism = mechanism.slice(1);
+            }
+            const [mType, ...rest] = mechanism.split(":");
+            const mValue = rest.join(":") || "";
+            const type = mType.toLowerCase();
+            mechanisms.push({ qualifier, type, value: mValue });
+            // Count DNS lookups for lookup-triggering mechanisms
+            if (["include", "a", "mx", "ptr", "exists", "redirect"].includes(type)) {
+                dnsLookups++;
+            }
+            if (type === "include" && mValue) {
+                includes.push(mValue);
+            }
+            if (type === "all") {
+                allQualifier = qualifier;
+            }
+            if (type === "ptr") {
+                findings.push({
+                    severity: "medium",
+                    title: "Deprecated ptr mechanism in SPF",
+                    description: "The \"ptr\" mechanism is deprecated per RFC 7208 Section 5.5 due to performance and reliability issues.",
+                    remediation: "Replace ptr mechanism with explicit ip4/ip6 or a mechanisms.",
+                });
+            }
+        }
+        // Follow include chain to count total DNS lookups
+        const visited = new Set();
+        const includeQueue = [...includes];
+        while (includeQueue.length > 0) {
+            const inc = includeQueue.shift();
+            if (visited.has(inc))
+                continue;
+            visited.add(inc);
+            try {
+                const incTxt = await resolver.resolveTxt(inc);
+                const incSpf = incTxt.map((r) => r.join("")).find((r) => r.toLowerCase().startsWith("v=spf1"));
+                if (incSpf) {
+                    const incParts = incSpf.split(/\s+/).slice(1);
+                    for (const p of incParts) {
+                        let m = p;
+                        if (/^[+\-~?]/.test(m))
+                            m = m.slice(1);
+                        const [t, ...v] = m.split(":");
+                        const typ = t.toLowerCase();
+                        if (["include", "a", "mx", "ptr", "exists", "redirect"].includes(typ)) {
+                            dnsLookups++;
+                        }
+                        if (typ === "include" && v.join(":")) {
+                            includeQueue.push(v.join(":"));
+                        }
+                    }
+                }
+            }
+            catch {
+                // Include target unreachable
+            }
+        }
+        if (dnsLookups > 10) {
+            findings.push({
+                severity: "high",
+                title: "SPF exceeds 10 DNS lookup limit",
+                description: `SPF record triggers ${dnsLookups} DNS lookups (RFC 7208 max is 10). Receivers may return PermError.`,
+                remediation: "Flatten SPF record by replacing includes with direct ip4/ip6 mechanisms, or use an SPF flattening service.",
+            });
+        }
+        if (allQualifier === "~") {
+            findings.push({
+                severity: "high",
+                title: "SPF uses softfail (~all)",
+                description: "SPF ~all (softfail) marks unauthorized senders as suspicious but does not reject them. Emails from unauthorized sources may still be delivered.",
+                remediation: "Change ~all to -all for strict rejection of unauthorized senders.",
+            });
+        }
+        else if (allQualifier === "+") {
+            findings.push({
+                severity: "critical",
+                title: "SPF allows all senders (+all)",
+                description: "SPF +all permits any server to send email on behalf of this domain. This is an open relay configuration.",
+                remediation: "Change +all to -all immediately.",
+            });
+        }
+        else if (allQualifier === "?") {
+            findings.push({
+                severity: "high",
+                title: "SPF uses neutral (?all)",
+                description: "SPF ?all provides no indication about sender authorization. This effectively provides no protection.",
+                remediation: "Change ?all to -all for strict rejection.",
+            });
+        }
+        else if (allQualifier === "-") {
+            findings.push({
+                severity: "info",
+                title: "SPF uses hardfail (-all)",
+                description: "SPF -all correctly rejects unauthorized senders.",
+            });
+        }
+    }
+    catch (err) {
+        findings.push({
+            severity: "critical",
+            title: "SPF lookup failed",
+            description: `Failed to query TXT records for ${domain}: ${err.message}`,
+        });
+        return { found: false, record: null, mechanisms, allQualifier, dnsLookups, includes, findings };
+    }
+    return { found: true, record: spfRecord, mechanisms, allQualifier, dnsLookups, includes, findings };
+}
+// ─── DKIM Check Logic ───
+async function checkDkim(domain, selectors) {
+    const resolver = createResolver();
+    const findings = [];
+    const selectorsFound = [];
+    let checkedCount = 0;
+    for (const selector of selectors) {
+        checkedCount++;
+        const dkimDomain = `${selector}._domainkey.${domain}`;
+        const result = {
+            selector,
+            found: false,
+            record: null,
+            version: null,
+            keyType: null,
+            publicKey: null,
+            estimatedBits: null,
+            testingMode: false,
+            revoked: false,
+            findings: [],
+        };
+        try {
+            const txtRecords = await resolver.resolveTxt(dkimDomain);
+            const dkimTxt = txtRecords.map((r) => r.join("")).find((r) => r.includes("p="));
+            if (!dkimTxt)
+                continue;
+            result.found = true;
+            result.record = dkimTxt;
+            // Parse DKIM tags
+            const tags = new Map();
+            for (const part of dkimTxt.split(";")) {
+                const trimmed = part.trim();
+                const eqIdx = trimmed.indexOf("=");
+                if (eqIdx > 0) {
+                    const key = trimmed.slice(0, eqIdx).trim();
+                    const value = trimmed.slice(eqIdx + 1).trim();
+                    tags.set(key, value);
+                }
+            }
+            result.version = tags.get("v") ?? null;
+            result.keyType = tags.get("k") ?? "rsa"; // default is rsa per RFC 6376
+            result.publicKey = tags.get("p") ?? null;
+            // Check for testing mode
+            const tFlag = tags.get("t");
+            if (tFlag && tFlag.includes("y")) {
+                result.testingMode = true;
+                result.findings.push({
+                    severity: "medium",
+                    title: `DKIM selector '${selector}' is in testing mode`,
+                    description: "Tag t=y indicates this DKIM key is in testing mode. Verifiers may not enforce failures.",
+                    remediation: "Remove t=y flag when DKIM is fully deployed.",
+                });
+            }
+            // Check for revoked key (empty p=)
+            if (result.publicKey === "" || result.publicKey === null) {
+                result.revoked = true;
+                result.findings.push({
+                    severity: "info",
+                    title: `DKIM selector '${selector}' is revoked`,
+                    description: "Empty p= tag indicates this DKIM key has been revoked.",
+                });
+            }
+            else {
+                // Estimate key size from base64 length
+                const rawKey = result.publicKey.replace(/\s/g, "");
+                const keyBytes = Math.floor((rawKey.length * 3) / 4);
+                // RSA public key DER includes overhead (~38 bytes for header), remaining is the modulus
+                const modulusBits = Math.max(0, (keyBytes - 38)) * 8;
+                result.estimatedBits = modulusBits > 0 ? modulusBits : keyBytes * 8;
+                if (result.keyType?.toLowerCase() === "rsa" && result.estimatedBits < 1024) {
+                    result.findings.push({
+                        severity: "critical",
+                        title: `DKIM selector '${selector}' uses weak RSA key (~${result.estimatedBits} bits)`,
+                        description: "RSA keys shorter than 1024 bits are considered insecure and can be factored.",
+                        remediation: "Rotate to a 2048-bit RSA key or use Ed25519.",
+                    });
+                }
+                else if (result.keyType?.toLowerCase() === "rsa" && result.estimatedBits < 2048) {
+                    result.findings.push({
+                        severity: "medium",
+                        title: `DKIM selector '${selector}' uses 1024-bit RSA key`,
+                        description: "1024-bit RSA keys are not yet broken but are considered weak. 2048-bit is the recommended minimum.",
+                        remediation: "Rotate to a 2048-bit RSA key.",
+                    });
+                }
+            }
+            selectorsFound.push(result);
+        }
+        catch {
+            // Selector not found — expected for most brute-forced selectors
+            continue;
+        }
+    }
+    if (selectorsFound.length === 0) {
+        findings.push({
+            severity: "high",
+            title: "No DKIM records found",
+            description: `Checked ${checkedCount} selectors for ${domain} — none returned a DKIM record. Email from this domain cannot be cryptographically verified.`,
+            remediation: "Configure DKIM signing with your email provider and publish the public key in DNS.",
+        });
+    }
+    // Aggregate per-selector findings
+    for (const s of selectorsFound) {
+        findings.push(...s.findings);
+    }
+    return { selectorsChecked: checkedCount, selectorsFound, findings };
+}
+// ─── DMARC Check Logic ───
+async function checkDmarc(domain) {
+    const resolver = createResolver();
+    const findings = [];
+    const dmarcDomain = `_dmarc.${domain}`;
+    const result = {
+        found: false,
+        record: null,
+        policy: null,
+        subdomainPolicy: null,
+        percentage: null,
+        rua: null,
+        ruf: null,
+        aspf: null,
+        adkim: null,
+        findings: [],
+    };
+    try {
+        const txtRecords = await resolver.resolveTxt(dmarcDomain);
+        const dmarcTxt = txtRecords
+            .map((r) => r.join(""))
+            .find((r) => r.toLowerCase().startsWith("v=dmarc1"));
+        if (!dmarcTxt) {
+            findings.push({
+                severity: "critical",
+                title: "No DMARC record found",
+                description: `No DMARC record at ${dmarcDomain}. Without DMARC, there is no policy instructing receivers how to handle SPF/DKIM failures.`,
+                remediation: "Add a DMARC TXT record, e.g. \"v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com\"",
+            });
+            result.findings = findings;
+            return result;
+        }
+        result.found = true;
+        result.record = dmarcTxt;
+        // Parse DMARC tags
+        const tags = new Map();
+        for (const part of dmarcTxt.split(";")) {
+            const trimmed = part.trim();
+            const eqIdx = trimmed.indexOf("=");
+            if (eqIdx > 0) {
+                const key = trimmed.slice(0, eqIdx).trim().toLowerCase();
+                const value = trimmed.slice(eqIdx + 1).trim();
+                tags.set(key, value);
+            }
+        }
+        result.policy = tags.get("p") ?? null;
+        result.subdomainPolicy = tags.get("sp") ?? null;
+        result.percentage = tags.has("pct") ? parseInt(tags.get("pct"), 10) : null;
+        result.rua = tags.get("rua") ?? null;
+        result.ruf = tags.get("ruf") ?? null;
+        result.aspf = tags.get("aspf") ?? null;
+        result.adkim = tags.get("adkim") ?? null;
+        // Evaluate policy
+        if (result.policy === "none") {
+            findings.push({
+                severity: "high",
+                title: "DMARC policy is p=none (monitoring only)",
+                description: "DMARC p=none does not instruct receivers to reject or quarantine unauthorized emails. It only generates reports.",
+                remediation: "Transition to p=quarantine or p=reject after analyzing DMARC reports.",
+            });
+        }
+        else if (result.policy === "quarantine") {
+            findings.push({
+                severity: "medium",
+                title: "DMARC policy is p=quarantine",
+                description: "DMARC p=quarantine instructs receivers to treat failures as suspicious (typically moved to spam). p=reject provides stronger protection.",
+                remediation: "Consider upgrading to p=reject after verifying all legitimate senders pass SPF/DKIM.",
+            });
+        }
+        else if (result.policy === "reject") {
+            findings.push({
+                severity: "info",
+                title: "DMARC policy is p=reject",
+                description: "DMARC p=reject is the strongest policy, instructing receivers to reject unauthorized emails outright.",
+            });
+        }
+        // Check percentage
+        if (result.percentage !== null && result.percentage < 100) {
+            findings.push({
+                severity: "medium",
+                title: `DMARC pct=${result.percentage}% — partial enforcement`,
+                description: `Only ${result.percentage}% of messages are subject to the DMARC policy. The remaining ${100 - result.percentage}% are treated as p=none.`,
+                remediation: "Increase pct to 100 once confident in SPF/DKIM alignment.",
+            });
+        }
+        // Check reporting
+        if (!result.rua) {
+            findings.push({
+                severity: "medium",
+                title: "No DMARC aggregate reporting (rua) configured",
+                description: "Without rua, you will not receive aggregate DMARC reports to monitor authentication failures.",
+                remediation: "Add rua=mailto:dmarc-reports@yourdomain.com to your DMARC record.",
+            });
+        }
+        // Check alignment
+        if (result.aspf === "r") {
+            findings.push({
+                severity: "low",
+                title: "DMARC SPF alignment is relaxed",
+                description: "Relaxed SPF alignment (aspf=r) allows subdomains to pass alignment. Strict (aspf=s) is more secure.",
+            });
+        }
+        if (result.adkim === "r") {
+            findings.push({
+                severity: "low",
+                title: "DMARC DKIM alignment is relaxed",
+                description: "Relaxed DKIM alignment (adkim=r) allows subdomains to pass alignment. Strict (adkim=s) is more secure.",
+            });
+        }
+    }
+    catch (err) {
+        findings.push({
+            severity: "critical",
+            title: "DMARC lookup failed",
+            description: `Failed to query TXT records for ${dmarcDomain}: ${err.message}`,
+        });
+    }
+    result.findings = findings;
+    return result;
+}
+// ─── BIMI Check Logic ───
+async function checkBimi(domain) {
+    const resolver = createResolver();
+    const findings = [];
+    const bimiDomain = `default._bimi.${domain}`;
+    const result = {
+        found: false,
+        record: null,
+        version: null,
+        logoUrl: null,
+        vmcUrl: null,
+        findings: [],
+    };
+    try {
+        const txtRecords = await resolver.resolveTxt(bimiDomain);
+        const bimiTxt = txtRecords
+            .map((r) => r.join(""))
+            .find((r) => r.toLowerCase().startsWith("v=bimi1"));
+        if (!bimiTxt) {
+            findings.push({
+                severity: "info",
+                title: "No BIMI record found",
+                description: `No BIMI record at ${bimiDomain}. BIMI allows displaying a brand logo next to authenticated emails.`,
+                remediation: "Add a BIMI TXT record at default._bimi.yourdomain.com with v=BIMI1; l=<SVG URL>; a=<VMC URL>",
+            });
+            result.findings = findings;
+            return result;
+        }
+        result.found = true;
+        result.record = bimiTxt;
+        // Parse BIMI tags
+        const tags = new Map();
+        for (const part of bimiTxt.split(";")) {
+            const trimmed = part.trim();
+            const eqIdx = trimmed.indexOf("=");
+            if (eqIdx > 0) {
+                const key = trimmed.slice(0, eqIdx).trim().toLowerCase();
+                const value = trimmed.slice(eqIdx + 1).trim();
+                tags.set(key, value);
+            }
+        }
+        result.version = tags.get("v") ?? null;
+        result.logoUrl = tags.get("l") ?? null;
+        result.vmcUrl = tags.get("a") ?? null;
+        if (!result.logoUrl) {
+            findings.push({
+                severity: "medium",
+                title: "BIMI record missing logo URL (l= tag)",
+                description: "BIMI record does not contain a logo URL. Without it, no brand indicator will be displayed.",
+                remediation: "Add l=https://yourdomain.com/logo.svg to your BIMI record.",
+            });
+        }
+        else {
+            findings.push({
+                severity: "info",
+                title: "BIMI logo URL present",
+                description: `Logo URL: ${result.logoUrl}`,
+            });
+        }
+        if (!result.vmcUrl) {
+            findings.push({
+                severity: "low",
+                title: "BIMI record has no VMC certificate (a= tag)",
+                description: "Without a Verified Mark Certificate (VMC), some email clients (notably Gmail) will not display the BIMI logo.",
+                remediation: "Obtain a VMC from a qualified certificate authority and add a= tag to your BIMI record.",
+            });
+        }
+        else {
+            findings.push({
+                severity: "info",
+                title: "BIMI VMC certificate present",
+                description: `VMC URL: ${result.vmcUrl}`,
+            });
+        }
+    }
+    catch (err) {
+        findings.push({
+            severity: "info",
+            title: "BIMI lookup failed",
+            description: `Failed to query TXT records for ${bimiDomain}: ${err.message}`,
+        });
+    }
+    result.findings = findings;
+    return result;
+}
+// ─── MTA-STS Check Logic ───
+async function checkMtaSts(domain) {
+    const resolver = createResolver();
+    const findings = [];
+    const stsDomain = `_mta-sts.${domain}`;
+    const result = {
+        dnsRecord: { found: false, id: null },
+        policy: {
+            fetched: false,
+            version: null,
+            mode: null,
+            mxPatterns: [],
+            maxAge: null,
+        },
+        findings: [],
+    };
+    // Step 1: Check DNS TXT record
+    try {
+        const txtRecords = await resolver.resolveTxt(stsDomain);
+        const stsTxt = txtRecords
+            .map((r) => r.join(""))
+            .find((r) => r.toLowerCase().startsWith("v=stsv1"));
+        if (!stsTxt) {
+            findings.push({
+                severity: "medium",
+                title: "No MTA-STS DNS record found",
+                description: `No MTA-STS TXT record at ${stsDomain}. MTA-STS enforces TLS for inbound SMTP connections.`,
+                remediation: "Add a TXT record at _mta-sts.yourdomain.com with \"v=STSv1; id=<unique-id>\"",
+            });
+            result.findings = findings;
+            return result;
+        }
+        result.dnsRecord.found = true;
+        // Parse id from the record
+        const idMatch = stsTxt.match(/id\s*=\s*(\S+)/i);
+        result.dnsRecord.id = idMatch ? idMatch[1] : null;
+    }
+    catch (err) {
+        findings.push({
+            severity: "medium",
+            title: "MTA-STS DNS lookup failed",
+            description: `Failed to query TXT for ${stsDomain}: ${err.message}`,
+        });
+        result.findings = findings;
+        return result;
+    }
+    // Step 2: Fetch the policy file
+    const policyUrl = `https://mta-sts.${domain}/.well-known/mta-sts.txt`;
+    try {
+        const response = await fetch(policyUrl, {
+            signal: AbortSignal.timeout(10000),
+            redirect: "follow",
+        });
+        if (!response.ok) {
+            findings.push({
+                severity: "high",
+                title: "MTA-STS policy file not accessible",
+                description: `HTTP ${response.status} when fetching ${policyUrl}. The MTA-STS DNS record exists but the policy file is not served.`,
+                remediation: "Ensure the policy file is served at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt",
+            });
+            result.findings = findings;
+            return result;
+        }
+        const policyText = await response.text();
+        result.policy.fetched = true;
+        // Parse policy fields
+        for (const line of policyText.split("\n")) {
+            const trimmed = line.trim();
+            if (!trimmed)
+                continue;
+            const colonIdx = trimmed.indexOf(":");
+            if (colonIdx < 0)
+                continue;
+            const key = trimmed.slice(0, colonIdx).trim().toLowerCase();
+            const value = trimmed.slice(colonIdx + 1).trim();
+            switch (key) {
+                case "version":
+                    result.policy.version = value;
+                    break;
+                case "mode":
+                    result.policy.mode = value.toLowerCase();
+                    break;
+                case "mx":
+                    result.policy.mxPatterns.push(value);
+                    break;
+                case "max_age":
+                    result.policy.maxAge = parseInt(value, 10);
+                    break;
+            }
+        }
+        // Evaluate policy
+        if (result.policy.mode === "testing") {
+            findings.push({
+                severity: "medium",
+                title: "MTA-STS is in testing mode",
+                description: "MTA-STS mode=testing means senders will report TLS failures but not enforce TLS. Mail may still be sent unencrypted.",
+                remediation: "Switch to mode=enforce once all MX hosts have valid TLS certificates.",
+            });
+        }
+        else if (result.policy.mode === "none") {
+            findings.push({
+                severity: "high",
+                title: "MTA-STS mode is set to none",
+                description: "MTA-STS mode=none effectively disables the policy. No TLS enforcement occurs.",
+                remediation: "Set mode to enforce or testing.",
+            });
+        }
+        else if (result.policy.mode === "enforce") {
+            findings.push({
+                severity: "info",
+                title: "MTA-STS is in enforce mode",
+                description: "MTA-STS mode=enforce ensures senders must use TLS when delivering to your MX hosts.",
+            });
+        }
+        if (result.policy.maxAge !== null && result.policy.maxAge < 86400) {
+            findings.push({
+                severity: "medium",
+                title: `MTA-STS max_age is short (${result.policy.maxAge}s)`,
+                description: `max_age of ${result.policy.maxAge} seconds (${(result.policy.maxAge / 3600).toFixed(1)} hours) is very short. An attacker could wait for the policy to expire and then downgrade the connection.`,
+                remediation: "Set max_age to at least 86400 (1 day), recommended 604800-31557600 (1 week to 1 year).",
+            });
+        }
+    }
+    catch (err) {
+        findings.push({
+            severity: "high",
+            title: "MTA-STS policy file fetch failed",
+            description: `Could not retrieve ${policyUrl}: ${err.message}`,
+            remediation: "Ensure mta-sts.yourdomain.com resolves and serves the policy file over HTTPS.",
+        });
+    }
+    result.findings = findings;
+    return result;
+}
+// ─── DANE/TLSA Check Logic ───
+async function checkDane(domain) {
+    const resolver = createResolver();
+    const findings = [];
+    const mxHosts = [];
+    const tlsaRecords = [];
+    // Resolve MX records
+    try {
+        const mxResults = await resolver.resolveMx(domain);
+        for (const mx of mxResults.sort((a, b) => a.priority - b.priority)) {
+            mxHosts.push(mx.exchange);
+        }
+    }
+    catch {
+        findings.push({
+            severity: "medium",
+            title: "No MX records found",
+            description: `Could not resolve MX records for ${domain}. DANE/TLSA check requires MX hosts.`,
+        });
+        return { mxHosts, tlsaRecords, findings };
+    }
+    if (mxHosts.length === 0) {
+        findings.push({
+            severity: "medium",
+            title: "No MX records found",
+            description: `Domain ${domain} has no MX records.`,
+        });
+        return { mxHosts, tlsaRecords, findings };
+    }
+    let anyTlsaFound = false;
+    for (const mxHost of mxHosts) {
+        const tlsaDomain = `_25._tcp.${mxHost}`;
+        try {
+            const rawResult = await queryRaw(tlsaDomain, "TLSA", "8.8.8.8", 53, { dnssec: true });
+            for (const answer of rawResult.answers) {
+                if (answer.type === "TLSA") {
+                    const data = answer.data;
+                    anyTlsaFound = true;
+                    tlsaRecords.push({
+                        mxHost,
+                        usage: data?.usage ?? 0,
+                        selector: data?.selector ?? 0,
+                        matchingType: data?.matchingType ?? 0,
+                        certificate: data?.certificate ? Buffer.from(data.certificate).toString("hex") : (typeof data === "string" ? data : ""),
+                    });
+                }
+            }
+            // Check for DNSSEC (AD flag)
+            if (anyTlsaFound && !rawResult.flags.authenticatedData) {
+                findings.push({
+                    severity: "high",
+                    title: `DANE without DNSSEC for ${mxHost}`,
+                    description: `TLSA records found for ${tlsaDomain} but the response is not DNSSEC-authenticated (AD flag not set). DANE requires DNSSEC to be effective.`,
+                    remediation: "Enable DNSSEC for the zone containing the TLSA records.",
+                });
+            }
+        }
+        catch {
+            // TLSA query failed — likely no TLSA records
+        }
+    }
+    if (!anyTlsaFound) {
+        findings.push({
+            severity: "info",
+            title: "No DANE/TLSA records found",
+            description: `No TLSA records found for any MX host of ${domain}. DANE/TLSA provides certificate pinning for SMTP connections.`,
+            remediation: "Publish TLSA records for your MX hosts and enable DNSSEC.",
+        });
+    }
+    else {
+        findings.push({
+            severity: "info",
+            title: `DANE/TLSA records found for ${tlsaRecords.length} MX endpoint(s)`,
+            description: `TLSA records provide certificate association for SMTP TLS connections.`,
+        });
+    }
+    return { mxHosts, tlsaRecords, findings };
+}
+// ─── PTR / FCrDNS Check Logic ───
+async function checkPtr(domain) {
+    const resolver = createResolver();
+    const findings = [];
+    const mxHostResults = [];
+    // Resolve MX records
+    let mxExchanges = [];
+    try {
+        const mxResults = await resolver.resolveMx(domain);
+        mxExchanges = mxResults
+            .sort((a, b) => a.priority - b.priority)
+            .map((mx) => mx.exchange);
+    }
+    catch {
+        findings.push({
+            severity: "medium",
+            title: "No MX records found",
+            description: `Could not resolve MX records for ${domain}. PTR/FCrDNS check requires MX hosts.`,
+        });
+        return { mxHosts: mxHostResults, findings };
+    }
+    for (const mxHost of mxExchanges) {
+        const hostResult = {
+            host: mxHost,
+            ips: [],
+            ptrResults: [],
+        };
+        // Resolve MX host to IPs
+        try {
+            const ips = await resolver.resolve4(mxHost);
+            hostResult.ips = ips;
+            for (const ip of ips) {
+                const ptrResult = {
+                    ip,
+                    ptrHostnames: [],
+                    fcrDnsValid: false,
+                };
+                // Reverse DNS lookup
+                try {
+                    const ptrs = await dns.reverse(ip);
+                    ptrResult.ptrHostnames = ptrs;
+                    if (ptrs.length === 0) {
+                        findings.push({
+                            severity: "medium",
+                            title: `Missing PTR for ${ip} (MX: ${mxHost})`,
+                            description: `IP ${ip} has no PTR record. Many mail servers reject mail from IPs without reverse DNS.`,
+                            remediation: "Configure a PTR record for this IP with your hosting/ISP provider.",
+                        });
+                    }
+                    else {
+                        // FCrDNS check: PTR hostname should forward-resolve back to the same IP
+                        let matched = false;
+                        for (const ptrHostname of ptrs) {
+                            try {
+                                const forwardIps = await resolver.resolve4(ptrHostname);
+                                if (forwardIps.includes(ip)) {
+                                    matched = true;
+                                }
+                            }
+                            catch {
+                                // Forward lookup failed
+                            }
+                        }
+                        ptrResult.fcrDnsValid = matched;
+                        if (!matched) {
+                            findings.push({
+                                severity: "high",
+                                title: `FCrDNS mismatch for ${ip} (MX: ${mxHost})`,
+                                description: `IP ${ip} has PTR record(s) [${ptrs.join(", ")}] but none forward-resolve back to ${ip}. This FCrDNS (Forward-Confirmed reverse DNS) failure can cause mail rejection.`,
+                                remediation: "Ensure the PTR hostname forward-resolves to the same IP address.",
+                            });
+                        }
+                        else {
+                            findings.push({
+                                severity: "info",
+                                title: `FCrDNS valid for ${ip} (MX: ${mxHost})`,
+                                description: `PTR record for ${ip} resolves to ${ptrs.join(", ")} which forward-resolves back to the same IP.`,
+                            });
+                        }
+                    }
+                    hostResult.ptrResults.push(ptrResult);
+                }
+                catch {
+                    findings.push({
+                        severity: "medium",
+                        title: `PTR lookup failed for ${ip} (MX: ${mxHost})`,
+                        description: `Could not perform reverse DNS lookup for ${ip}.`,
+                        remediation: "Ensure a PTR record exists for this IP address.",
+                    });
+                    hostResult.ptrResults.push(ptrResult);
+                }
+            }
+        }
+        catch {
+            findings.push({
+                severity: "medium",
+                title: `Could not resolve MX host ${mxHost} to IP`,
+                description: `A record lookup for ${mxHost} failed.`,
+            });
+        }
+        mxHostResults.push(hostResult);
+    }
+    return { mxHosts: mxHostResults, findings };
+}
+async function calcSpoofability(domain) {
+    const [spfResult, dkimResult, dmarcResult] = await Promise.all([
+        checkSpf(domain),
+        checkDkim(domain, DKIM_SELECTORS),
+        checkDmarc(domain),
+    ]);
+    const breakdown = [];
+    let score = 0;
+    // SPF scoring (max 30)
+    if (!spfResult.found) {
+        score += 30;
+        breakdown.push({ category: "SPF", points: 30, maxPoints: 30, detail: "No SPF record found" });
+    }
+    else if (spfResult.allQualifier === "+" || spfResult.allQualifier === "?") {
+        score += 25;
+        breakdown.push({ category: "SPF", points: 25, maxPoints: 30, detail: `SPF uses ${spfResult.allQualifier}all (permissive)` });
+    }
+    else if (spfResult.allQualifier === "~") {
+        score += 20;
+        breakdown.push({ category: "SPF", points: 20, maxPoints: 30, detail: "SPF uses ~all (softfail — spoofable)" });
+    }
+    else if (spfResult.allQualifier === "-") {
+        score += 0;
+        breakdown.push({ category: "SPF", points: 0, maxPoints: 30, detail: "SPF uses -all (hardfail)" });
+    }
+    else {
+        score += 15;
+        breakdown.push({ category: "SPF", points: 15, maxPoints: 30, detail: "SPF present but no all mechanism found" });
+    }
+    // DMARC scoring (max 30)
+    if (!dmarcResult.found) {
+        score += 30;
+        breakdown.push({ category: "DMARC", points: 30, maxPoints: 30, detail: "No DMARC record found" });
+    }
+    else if (dmarcResult.policy === "none") {
+        score += 20;
+        breakdown.push({ category: "DMARC", points: 20, maxPoints: 30, detail: "DMARC p=none (monitoring only)" });
+    }
+    else if (dmarcResult.policy === "quarantine") {
+        score += 10;
+        breakdown.push({ category: "DMARC", points: 10, maxPoints: 30, detail: "DMARC p=quarantine" });
+    }
+    else if (dmarcResult.policy === "reject") {
+        score += 0;
+        breakdown.push({ category: "DMARC", points: 0, maxPoints: 30, detail: "DMARC p=reject" });
+    }
+    // DKIM scoring (max 15)
+    const dkimFound = dkimResult.selectorsFound.length > 0;
+    const weakKey = dkimResult.selectorsFound.some((s) => s.keyType?.toLowerCase() === "rsa" && s.estimatedBits !== null && s.estimatedBits < 1024);
+    if (!dkimFound) {
+        score += 15;
+        breakdown.push({ category: "DKIM", points: 15, maxPoints: 15, detail: "No DKIM records found" });
+    }
+    else if (weakKey) {
+        score += 10;
+        breakdown.push({ category: "DKIM", points: 10, maxPoints: 15, detail: "DKIM found but uses weak key (<1024 bits)" });
+    }
+    else {
+        score += 0;
+        breakdown.push({ category: "DKIM", points: 0, maxPoints: 15, detail: "DKIM configured with adequate key strength" });
+    }
+    // Ensure score stays in 0–100 range (remaining 25 points are implicit baseline)
+    score = Math.min(100, Math.max(0, Math.round((score / 75) * 100)));
+    let verdict;
+    if (score >= 70) {
+        verdict = "easily spoofable";
+    }
+    else if (score >= 40) {
+        verdict = "moderately protected";
+    }
+    else {
+        verdict = "well protected";
+    }
+    return {
+        score,
+        verdict,
+        breakdown,
+        spfSummary: { found: spfResult.found, allQualifier: spfResult.allQualifier },
+        dkimSummary: { found: dkimFound, weakKey },
+        dmarcSummary: { found: dmarcResult.found, policy: dmarcResult.policy },
+    };
+}
+async function runFullAudit(domain) {
+    const [spf, dkim, dmarc, bimi, mtaSts, dane, ptr, spoofability] = await Promise.all([
+        checkSpf(domain),
+        checkDkim(domain, DKIM_SELECTORS),
+        checkDmarc(domain),
+        checkBimi(domain),
+        checkMtaSts(domain),
+        checkDane(domain),
+        checkPtr(domain),
+        calcSpoofability(domain),
+    ]);
+    // Collect all findings
+    const allFindings = [
+        ...spf.findings,
+        ...dkim.findings,
+        ...dmarc.findings,
+        ...bimi.findings,
+        ...mtaSts.findings,
+        ...dane.findings,
+        ...ptr.findings,
+    ];
+    // Group by severity
+    const grouped = {
+        critical: [],
+        high: [],
+        medium: [],
+        low: [],
+        info: [],
+    };
+    for (const f of allFindings) {
+        grouped[f.severity].push(f);
+    }
+    return {
+        domain,
+        summary: {
+            critical: grouped.critical.length,
+            high: grouped.high.length,
+            medium: grouped.medium.length,
+            low: grouped.low.length,
+            info: grouped.info.length,
+            total: allFindings.length,
+        },
+        findings: grouped,
+        checks: { spf, dkim, dmarc, bimi, mtaSts, dane, ptr, spoofability },
+    };
+}
+// ─── Tool Definitions ───
+const emailCheckSpf = {
+    name: "email_check_spf",
+    description: "Check SPF (Sender Policy Framework) record for a domain. Parses mechanisms, qualifiers, follows include chains, counts DNS lookups (RFC 7208 max 10), and flags misconfigurations like ~all, +all, ptr, and excessive lookups.",
+    schema: {
+        domain: z.string().describe("The domain to check SPF records for (e.g. example.com)"),
+    },
+    execute: async (args) => {
+        const domain = args.domain;
+        const result = await checkSpf(domain);
+        return json(result);
+    },
+};
+const emailCheckDkim = {
+    name: "email_check_dkim",
+    description: "Check DKIM (DomainKeys Identified Mail) records for a domain by probing common selectors. Parses key type, estimates RSA key size, and flags weak keys (<1024 bits), testing mode (t=y), and revoked keys (empty p=).",
+    schema: {
+        domain: z.string().describe("The domain to check DKIM records for (e.g. example.com)"),
+        selectors: z
+            .array(z.string())
+            .optional()
+            .describe("Optional list of DKIM selectors to check. If omitted, a built-in list of ~80 common selectors is used."),
+    },
+    execute: async (args) => {
+        const domain = args.domain;
+        const selectors = args.selectors ?? DKIM_SELECTORS;
+        const result = await checkDkim(domain, selectors);
+        return json(result);
+    },
+};
+const emailCheckDmarc = {
+    name: "email_check_dmarc",
+    description: "Check DMARC (Domain-based Message Authentication, Reporting & Conformance) record for a domain. Parses policy (p=), subdomain policy (sp=), percentage (pct=), reporting URIs (rua/ruf), and alignment modes (aspf/adkim). Flags p=none, missing reporting, and relaxed alignment.",
+    schema: {
+        domain: z.string().describe("The domain to check DMARC records for (e.g. example.com)"),
+    },
+    execute: async (args) => {
+        const domain = args.domain;
+        const result = await checkDmarc(domain);
+        return json(result);
+    },
+};
+const emailCheckBimi = {
+    name: "email_check_bimi",
+    description: "Check BIMI (Brand Indicators for Message Identification) record for a domain. Validates the presence of v=BIMI1, logo URL (l=), and VMC certificate URL (a=).",
+    schema: {
+        domain: z.string().describe("The domain to check BIMI records for (e.g. example.com)"),
+    },
+    execute: async (args) => {
+        const domain = args.domain;
+        const result = await checkBimi(domain);
+        return json(result);
+    },
+};
+const emailCheckMtaSts = {
+    name: "email_check_mta_sts",
+    description: "Check MTA-STS (Mail Transfer Agent Strict Transport Security) for a domain. Queries the _mta-sts TXT record for the policy ID, then fetches the HTTPS policy file. Parses mode (enforce/testing/none), MX patterns, and max_age. Flags testing mode, short max_age, and missing policy files.",
+    schema: {
+        domain: z.string().describe("The domain to check MTA-STS for (e.g. example.com)"),
+    },
+    execute: async (args) => {
+        const domain = args.domain;
+        const result = await checkMtaSts(domain);
+        return json(result);
+    },
+};
+const emailCheckDane = {
+    name: "email_check_dane",
+    description: "Check DANE/TLSA records for a domain's MX hosts. Resolves MX records, then queries TLSA records at _25._tcp.<mx-host> using raw DNS queries. Reports certificate usage, selector, and matching type fields. Flags missing TLSA records and DANE without DNSSEC.",
+    schema: {
+        domain: z.string().describe("The domain to check DANE/TLSA records for (e.g. example.com)"),
+    },
+    execute: async (args) => {
+        const domain = args.domain;
+        const result = await checkDane(domain);
+        return json(result);
+    },
+};
+const emailCheckPtr = {
+    name: "email_check_ptr",
+    description: "Check PTR (reverse DNS) and FCrDNS (Forward-Confirmed reverse DNS) for a domain's MX hosts. Resolves MX -> IP -> PTR -> forward A record and verifies the IP matches. Flags missing PTR records and FCrDNS mismatches that can cause mail delivery failures.",
+    schema: {
+        domain: z.string().describe("The domain to check PTR/FCrDNS for (e.g. example.com)"),
+    },
+    execute: async (args) => {
+        const domain = args.domain;
+        const result = await checkPtr(domain);
+        return json(result);
+    },
+};
+const emailSpoofabilityScore = {
+    name: "email_spoofability_score",
+    description: "Calculate an email spoofability score (0-100) for a domain based on SPF, DKIM, and DMARC configuration. Returns a score, verdict (easily spoofable / moderately protected / well protected), and per-check breakdown.",
+    schema: {
+        domain: z.string().describe("The domain to calculate spoofability score for (e.g. example.com)"),
+    },
+    execute: async (args) => {
+        const domain = args.domain;
+        const result = await calcSpoofability(domain);
+        return json(result);
+    },
+};
+const emailFullAudit = {
+    name: "email_full_audit",
+    description: "Run a comprehensive email security audit for a domain. Checks SPF, DKIM, DMARC, BIMI, MTA-STS, DANE/TLSA, PTR/FCrDNS, and calculates spoofability score. Aggregates all findings into a single report grouped by severity (critical/high/medium/low/info).",
+    schema: {
+        domain: z.string().describe("The domain to run a full email security audit on (e.g. example.com)"),
+    },
+    execute: async (args) => {
+        const domain = args.domain;
+        const result = await runFullAudit(domain);
+        return json(result);
+    },
+};
+function cidrSize(cidr) {
+    const slash = cidr.indexOf("/");
+    if (slash === -1)
+        return 1;
+    const prefix = parseInt(cidr.slice(slash + 1), 10);
+    return Math.pow(2, 32 - prefix);
+}
+async function enumerateSpfIps(domain, resolver, visited, chain, depth, maxDepth) {
+    if (depth > maxDepth || visited.has(domain.toLowerCase())) {
+        return { ipv4: [], ipv6: [], aHosts: [], mxHosts: [] };
+    }
+    visited.add(domain.toLowerCase());
+    const ipv4 = [];
+    const ipv6 = [];
+    const aHosts = [];
+    const mxHosts = [];
+    let spfRecord = null;
+    try {
+        const txtRecords = await resolver.resolveTxt(domain);
+        const spf = txtRecords
+            .map((r) => r.join(""))
+            .find((r) => r.toLowerCase().startsWith("v=spf1"));
+        if (spf)
+            spfRecord = spf;
+    }
+    catch {
+        return { ipv4, ipv6, aHosts, mxHosts };
+    }
+    if (!spfRecord)
+        return { ipv4, ipv6, aHosts, mxHosts };
+    chain.push({ domain, record: spfRecord, depth });
+    const parts = spfRecord.split(/\s+/).slice(1);
+    for (const part of parts) {
+        const mechanism = part.replace(/^[+\-~?]/, "");
+        const [type, ...rest] = mechanism.split(":");
+        const value = rest.join(":");
+        switch (type?.toLowerCase()) {
+            case "ip4":
+                if (value)
+                    ipv4.push(value.includes("/") ? value : `${value}/32`);
+                break;
+            case "ip6":
+                if (value)
+                    ipv6.push(value.includes("/") ? value : `${value}/128`);
+                break;
+            case "a": {
+                const target = value || domain;
+                aHosts.push(target);
+                try {
+                    const ips = await resolver.resolve4(target);
+                    for (const ip of ips)
+                        ipv4.push(`${ip}/32`);
+                }
+                catch { /* skip */ }
+                try {
+                    const ips = await resolver.resolve6(target);
+                    for (const ip of ips)
+                        ipv6.push(`${ip}/128`);
+                }
+                catch { /* skip */ }
+                break;
+            }
+            case "mx": {
+                const target = value || domain;
+                mxHosts.push(target);
+                try {
+                    const mxRecords = await resolver.resolveMx(target);
+                    for (const mx of mxRecords) {
+                        try {
+                            const ips = await resolver.resolve4(mx.exchange);
+                            for (const ip of ips)
+                                ipv4.push(`${ip}/32`);
+                        }
+                        catch { /* skip */ }
+                    }
+                }
+                catch { /* skip */ }
+                break;
+            }
+            case "include":
+            case "redirect": {
+                const target = type === "redirect" ? value : value;
+                if (target) {
+                    const sub = await enumerateSpfIps(target, resolver, visited, chain, depth + 1, maxDepth);
+                    ipv4.push(...sub.ipv4);
+                    ipv6.push(...sub.ipv6);
+                    aHosts.push(...sub.aHosts);
+                    mxHosts.push(...sub.mxHosts);
+                }
+                break;
+            }
+        }
+    }
+    return { ipv4, ipv6, aHosts, mxHosts };
+}
+const emailSpfEnumerate = {
+    name: "email_spf_enumerate",
+    description: "Recursively walk the entire SPF include chain for a domain and extract all authorized IP addresses and CIDR ranges. Reveals mail infrastructure: cloud providers, hosting ranges, third-party senders. Useful for attack surface mapping and infrastructure reconnaissance.",
+    schema: {
+        domain: z.string().describe("The domain to enumerate SPF IPs for (e.g. google.com)"),
+        max_depth: z
+            .number()
+            .optional()
+            .describe("Maximum include chain depth to follow (default 10)"),
+    },
+    execute: async (args) => {
+        const domain = args.domain;
+        const maxDepth = args.max_depth ?? 10;
+        const resolver = createResolver();
+        const visited = new Set();
+        const chain = [];
+        const findings = [];
+        const result = await enumerateSpfIps(domain, resolver, visited, chain, 0, maxDepth);
+        const uniqueIpv4 = [...new Set(result.ipv4)].sort();
+        const uniqueIpv6 = [...new Set(result.ipv6)].sort();
+        const totalIpv4 = uniqueIpv4.reduce((sum, cidr) => sum + cidrSize(cidr), 0);
+        if (chain.length === 0) {
+            findings.push({
+                severity: "info",
+                title: "No SPF record found",
+                description: `${domain} has no SPF record. No IP ranges to enumerate.`,
+            });
+        }
+        if (visited.size > 10) {
+            findings.push({
+                severity: "medium",
+                title: "Excessive SPF include chain",
+                description: `SPF chain spans ${visited.size} domains, exceeding the RFC 7208 limit of 10 DNS lookups.`,
+                remediation: "Flatten the SPF record by replacing includes with direct ip4/ip6 mechanisms.",
+            });
+        }
+        if (uniqueIpv4.some((r) => {
+            const slash = r.indexOf("/");
+            return slash !== -1 && parseInt(r.slice(slash + 1), 10) <= 16;
+        })) {
+            findings.push({
+                severity: "info",
+                title: "Large CIDR ranges in SPF",
+                description: "SPF authorizes /16 or larger ranges, potentially allowing many hosts to send email.",
+            });
+        }
+        const output = {
+            domain,
+            ipv4Ranges: uniqueIpv4,
+            ipv6Ranges: uniqueIpv6,
+            totalIpv4Addresses: totalIpv4,
+            chain,
+            aHosts: [...new Set(result.aHosts)],
+            mxHosts: [...new Set(result.mxHosts)],
+            findings,
+        };
+        return json(output);
+    },
+};
+// ─── Export ───
+export const emailTools = [
+    emailCheckSpf,
+    emailCheckDkim,
+    emailCheckDmarc,
+    emailCheckBimi,
+    emailCheckMtaSts,
+    emailCheckDane,
+    emailCheckPtr,
+    emailSpoofabilityScore,
+    emailFullAudit,
+    emailSpfEnumerate,
+];
+//# sourceMappingURL=index.js.map