mailauth 4.8.0 → 4.8.2

package/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## [4.8.2](https://github.com/postalsys/mailauth/compare/v4.8.1...v4.8.2) (2024-12-19)
+
+
+### Bug Fixes
+
+* **ARC:** ensure that instance value is 1 if ARC chain does not exist yet ([ab4c5e9](https://github.com/postalsys/mailauth/commit/ab4c5e9ae0158e196b10f346321ca55b8f06c679))
+
+## [4.8.1](https://github.com/postalsys/mailauth/compare/v4.8.0...v4.8.1) (2024-11-05)
+
+
+### Bug Fixes
+
+* **cli:** Updated help strings for the cli script ([8a86e51](https://github.com/postalsys/mailauth/commit/8a86e51bff0300a7daea26062481ac56904202a8))
+
 ## [4.8.0](https://github.com/postalsys/mailauth/compare/v4.7.3...v4.8.0) (2024-11-05)
 
 

package/bin/mailauth.js

@@ -20,49 +20,51 @@ const pathlib = require('node:path');
 const argv = yargs(hideBin(process.argv))
     .command(
         ['report [email]', '$0 [email]'],
-        'Validate email message and return a report in JSON format',
+        'Validate an email message and return a detailed JSON report',
         yargs => {
             yargs
                 .option('client-ip', {
                     alias: 'i',
                     type: 'string',
-                    description: 'Client IP used for SPF checks. If not set then parsed from the latest Received header'
+                    description: 'IP address of the remote client (used for SPF checks). If not provided, it is parsed from the latest Received header.'
                 })
                 .option('mta', {
                     alias: 'm',
                     type: 'string',
-                    description: 'Hostname of this machine, used in the Authentication-Results header',
+                    description:
+                        'Hostname of the server performing the validation (used in the Authentication-Results header). Defaults to the local hostname.',
                     default: os.hostname()
                 })
                 .option('helo', {
                     alias: 'e',
                     type: 'string',
-                    description: 'Client hostname from the EHLO/HELO command, used in some specific SPF checks'
+                    description: 'Client hostname from the HELO/EHLO command (used in some SPF checks).'
                 })
                 .option('sender', {
                     alias: 'f',
                     type: 'string',
-                    description: 'Email address from the MAIL FROM command. If not set then the address from the latest Return-Path header is used instead'
+                    description: 'Email address from the MAIL FROM command. If not provided, the address from the latest Return-Path header is used.'
                 })
                 .option('dns-cache', {
                     alias: 'n',
                     type: 'string',
-                    description: 'Path to a JSON file with cached DNS responses. If this file is given then no actual DNS requests are performed'
+                    description:
+                        'Path to a JSON file with cached DNS responses. When provided, DNS queries use these cached responses instead of performing actual DNS lookups.'
                 })
                 .option('max-lookups', {
                     alias: 'x',
                     type: 'number',
-                    description: 'Maximum allowed DNS lookups',
+                    description: 'Maximum allowed DNS lookups during SPF checks. Defaults to 10.',
                     default: 10
                 })
                 .option('max-void-lookups', {
                     alias: 'z',
                     type: 'number',
-                    description: 'Maximum allowed empty DNS lookups',
+                    description: 'Maximum allowed DNS lookups that return no data (void lookups) during SPF checks. Defaults to 2.',
                     default: 2
                 });
             yargs.positional('email', {
-                describe: 'Path to the email message file in EML format. If not specified then content is read from stdin'
+                describe: 'Path to the email message file in EML format. If not specified, the content is read from standard input.'
             });
         },
         argv => {
@@ -71,7 +73,7 @@ const argv = yargs(hideBin(process.argv))
                     process.exit();
                 })
                 .catch(err => {
-                    console.error('Failed to generate report for input message');
+                    console.error('Failed to generate report for the input message.');
                     console.error(err);
                     process.exit(1);
                 });
@@ -82,59 +84,58 @@ const argv = yargs(hideBin(process.argv))
         'Sign an email with a DKIM digital signature',
         yargs => {
             yargs
-
                 .option('private-key', {
                     alias: 'k',
                     type: 'string',
-                    description: 'Path to a private key for signing',
+                    description: 'Path to the private key file used for signing.',
                     demandOption: true
                 })
                 .option('domain', {
                     alias: 'd',
                     type: 'string',
-                    description: 'Domain name for signing (d= tag)',
+                    description: 'Domain name to use in the DKIM signature (d= tag).',
                     demandOption: true
                 })
                 .option('selector', {
                     alias: 's',
                     type: 'string',
-                    description: 'Key selector for signing  (s= tag)',
+                    description: 'Selector to use in the DKIM signature (s= tag).',
                     demandOption: true
                 })
                 .option('algo', {
                     alias: 'a',
                     type: 'string',
-                    description: 'Signing algorithm. Defaults either to rsa-sha256 or ed25519-sha256 depending on the private key format.',
+                    description: 'Signing algorithm. Defaults to "rsa-sha256" or "ed25519-sha256" depending on the private key type.',
                     default: 'rsa-sha256'
                 })
                 .option('canonicalization', {
                     alias: 'c',
                     type: 'string',
-                    description: 'Canonicalization algorithm  (c= tag)',
+                    description: 'Canonicalization method (c= tag). Defaults to "relaxed/relaxed".',
                     default: 'relaxed/relaxed'
                 })
                 .option('time', {
                     alias: 't',
                     type: 'number',
-                    description: 'Signing time as a unix timestamp (t= tag)'
+                    description: 'Signing time as a UNIX timestamp (t= tag). Defaults to the current time.'
                 })
                 .option('body-length', {
                     alias: 'l',
                     type: 'number',
-                    description: 'Maximum length of canonicalizated body to sign (l= tag)'
+                    description: 'Maximum length of the canonicalized body to include in the signature (l= tag). Not recommended for general use.'
                 })
                 .option('header-fields', {
                     alias: 'h',
                     type: 'string',
-                    description: 'Colon separated list of header field names to sign (h= tag)'
+                    description: 'Colon-separated list of header field names to include in the signature (h= tag).'
                 })
                 .option('headers-only', {
                     alias: 'o',
                     type: 'boolean',
-                    description: 'Return signing headers only'
+                    description: 'If set, outputs only the DKIM signature headers without the message body.'
                 });
             yargs.positional('email', {
-                describe: 'Path to the email message file in EML format. If not specified then content is read from stdin'
+                describe: 'Path to the email message file in EML format. If not specified, the content is read from standard input.'
             });
         },
         argv => {
@@ -144,7 +145,7 @@ const argv = yargs(hideBin(process.argv))
                 })
                 .catch(err => {
                     if (!err.suppress) {
-                        console.error('Failed to sign input message');
+                        console.error('Failed to sign the input message.');
                         console.error(err);
                     }
                     process.exit(1);
@@ -153,83 +154,85 @@ const argv = yargs(hideBin(process.argv))
     )
     .command(
         ['seal [email]'],
-        'Authenticates an email and seals it with an ARC digital signature',
+        'Authenticate and seal an email with an ARC digital signature',
         yargs => {
             yargs
                 .option('private-key', {
                     alias: 'k',
                     type: 'string',
-                    description: 'Path to a private key for sealing',
+                    description: 'Path to the private key file used for sealing.',
                     demandOption: true
                 })
                 .option('domain', {
                     alias: 'd',
                     type: 'string',
-                    description: 'Domain name for sealing (d= tag)',
+                    description: 'Domain name to use in the ARC seal (d= tag).',
                     demandOption: true
                 })
                 .option('selector', {
                     alias: 's',
                     type: 'string',
-                    description: 'Key selector for sealing  (s= tag)',
+                    description: 'Selector to use in the ARC seal (s= tag).',
                     demandOption: true
                 })
                 .option('algo', {
                     alias: 'a',
                     type: 'string',
                     description:
-                        'Sealing algorithm. Defaults either to rsa-sha256 or ed25519-sha256 depending on the private key format. NB! Only rsa-sha256 is allowed by RFC8617 (a= tag)',
+                        'Sealing algorithm. Defaults to "rsa-sha256" or "ed25519-sha256" depending on the private key type. Note: RFC8617 only allows "rsa-sha256" (a= tag).',
                     default: 'rsa-sha256'
                 })
                 .option('canonicalization', {
                     alias: 'c',
                     type: 'string',
-                    description: 'Canonicalization algorithm. NB! Only relaxed/relaxed is allowed by RFC8617 (c= tag)',
+                    description: 'Canonicalization method. Note: RFC8617 only allows "relaxed/relaxed" (c= tag).',
                     default: 'relaxed/relaxed'
                 })
                 .option('time', {
                     alias: 't',
                     type: 'number',
-                    description: 'Signing time as a unix timestamp (t= tag)'
+                    description: 'Sealing time as a UNIX timestamp (t= tag). Defaults to the current time.'
                 })
                 .option('header-fields', {
                     alias: 'h',
                     type: 'string',
-                    description: 'Colon separated list of header field names to sign (h= tag)'
+                    description: 'Colon-separated list of header field names to include in the seal (h= tag).'
                 })
                 .option('client-ip', {
                     alias: 'i',
                     type: 'string',
-                    description: 'Client IP used for SPF checks. If not set then parsed from the latest Received header'
+                    description: 'IP address of the remote client (used for SPF checks). If not provided, it is parsed from the latest Received header.'
                 })
                 .option('mta', {
                     alias: 'm',
                     type: 'string',
-                    description: 'Hostname of this machine, used in the Authentication-Results header',
+                    description:
+                        'Hostname of the server performing the validation (used in the Authentication-Results header). Defaults to the local hostname.',
                     default: os.hostname()
                 })
                 .option('helo', {
                     alias: 'e',
                     type: 'string',
-                    description: 'Client hostname from the EHLO/HELO command, used in some specific SPF checks'
+                    description: 'Client hostname from the HELO/EHLO command (used in some SPF checks).'
                 })
                 .option('sender', {
                     alias: 'f',
                     type: 'string',
-                    description: 'Email address from the MAIL FROM command. If not set then the address from the latest Return-Path header is used instead'
+                    description: 'Email address from the MAIL FROM command. If not provided, the address from the latest Return-Path header is used.'
                 })
                 .option('dns-cache', {
                     alias: 'n',
                     type: 'string',
-                    description: 'Path to a JSON file with cached DNS responses. If this file is given then no actual DNS requests are performed'
+                    description:
+                        'Path to a JSON file with cached DNS responses. When provided, DNS queries use these cached responses instead of performing actual DNS lookups.'
                 })
                 .option('headers-only', {
                     alias: 'o',
                     type: 'boolean',
-                    description: 'Return signing headers only'
+                    description: 'If set, outputs only the ARC seal headers without the message body.'
                 });
             yargs.positional('email', {
-                describe: 'Path to the email message file in EML format. If not specified then content is read from stdin'
+                describe: 'Path to the email message file in EML format. If not specified, the content is read from standard input.'
             });
         },
         argv => {
@@ -239,7 +242,7 @@ const argv = yargs(hideBin(process.argv))
                 })
                 .catch(err => {
                     if (!err.suppress) {
-                        console.error('Failed to sign input message');
+                        console.error('Failed to seal the input message.');
                         console.error(err);
                     }
                     process.exit(1);
@@ -254,46 +257,47 @@ const argv = yargs(hideBin(process.argv))
                 .option('sender', {
                     alias: 'f',
                     type: 'string',
-                    description: 'Email address from the MAIL FROM command',
+                    description: 'Email address from the MAIL FROM command.',
                     demandOption: true
                 })
                 .option('client-ip', {
                     alias: 'i',
                     type: 'string',
-                    description: 'Client IP used for SPF checks. If not set then parsed from the latest Received header',
+                    description: 'IP address of the remote client (used for SPF checks).',
                     demandOption: true
                 })
                 .option('helo', {
                     alias: 'e',
                     type: 'string',
-                    description: 'Client hostname from the EHLO/HELO command, used in some specific SPF checks'
+                    description: 'Client hostname from the HELO/EHLO command (used in some SPF checks).'
                 })
                 .option('mta', {
                     alias: 'm',
                     type: 'string',
-                    description: 'Hostname of this machine, used in the Authentication-Results header',
+                    description: 'Hostname of the server performing the SPF check (used in the Authentication-Results header). Defaults to the local hostname.',
                     default: os.hostname()
                 })
                 .option('dns-cache', {
                     alias: 'n',
                     type: 'string',
-                    description: 'Path to a JSON file with cached DNS responses. If this file is given then no actual DNS requests are performed'
+                    description:
+                        'Path to a JSON file with cached DNS responses. When provided, DNS queries use these cached responses instead of performing actual DNS lookups.'
                 })
                 .option('headers-only', {
                     alias: 'o',
                     type: 'boolean',
-                    description: 'Return signing headers only'
+                    description: 'If set, outputs only the SPF authentication header.'
                 })
                 .option('max-lookups', {
                     alias: 'x',
                     type: 'number',
-                    description: 'Maximum allowed DNS lookups',
+                    description: 'Maximum allowed DNS lookups during SPF checks. Defaults to 10.',
                     default: 10
                 })
                 .option('max-void-lookups', {
                     alias: 'z',
                     type: 'number',
-                    description: 'Maximum allowed empty DNS lookups',
+                    description: 'Maximum allowed DNS lookups that return no data (void lookups) during SPF checks. Defaults to 2.',
                     default: 2
                 });
         },
@@ -303,7 +307,7 @@ const argv = yargs(hideBin(process.argv))
                     process.exit();
                 })
                 .catch(err => {
-                    console.error('Failed to verify SPF for an email address');
+                    console.error('Failed to verify SPF for the email address.');
                     console.error(err);
                     process.exit(1);
                 });
@@ -311,32 +315,28 @@ const argv = yargs(hideBin(process.argv))
     )
     .command(
         ['vmc'],
-        'Validate VMC logo',
+        'Validate a Verified Mark Certificate (VMC) logo file',
         yargs => {
             yargs
                 .option('authorityPath', {
                     alias: 'p',
                     type: 'string',
-                    description: 'Path to a VMC file',
-                    demandOption: false
+                    description: 'Path to a local VMC file.'
                 })
                 .option('authority', {
                     alias: 'a',
                     type: 'string',
-                    description: 'URL to a VMC file',
-                    demandOption: false
+                    description: 'URL of the VMC file.'
                 })
                 .option('domain', {
                     alias: 'd',
                     type: 'string',
-                    description: 'Sending domain to validate',
-                    demandOption: false
+                    description: 'Sending domain to validate against the VMC.'
                 })
                 .option('date', {
                     alias: 't',
                     type: 'string',
-                    description: 'ISO formatted timestamp for the certificate expiration checks',
-                    demandOption: false
+                    description: 'ISO-formatted timestamp to use for certificate expiration checks.'
                 });
         },
         argv => {
@@ -345,7 +345,7 @@ const argv = yargs(hideBin(process.argv))
                     process.exit();
                 })
                 .catch(err => {
-                    console.error('Failed to verify VMC file');
+                    console.error('Failed to verify the VMC file.');
                     console.error(err);
                     process.exit(1);
                 });
@@ -353,32 +353,28 @@ const argv = yargs(hideBin(process.argv))
     )
     .command(
         ['bodyhash [email]'],
-        'Generate a signature body hash for an email',
+        'Generate a DKIM body hash for an email message',
         yargs => {
             yargs
-
                 .option('algo', {
                     alias: 'a',
                     type: 'string',
-                    description: 'Hashing algorithm. Defaults to sha256.',
+                    description: 'Hashing algorithm to use. Defaults to "sha256". Can also use DKIM-style algorithms like "rsa-sha256".',
                     default: 'sha256'
                 })
-
                 .option('canonicalization', {
                     alias: 'c',
                     type: 'string',
-                    description: 'Canonicalization algorithm  (c= tag)',
+                    description: 'Body canonicalization method (c= tag). Defaults to "relaxed". Can use DKIM-style formats like "relaxed/relaxed".',
                     default: 'relaxed'
                 })
-
                 .option('body-length', {
                     alias: 'l',
                     type: 'number',
-                    description: 'Maximum length of canonicalizated body to sign (l= tag)'
+                    description: 'Maximum length of the canonicalized body to include in the hash (l= tag).'
                 });
-
             yargs.positional('email', {
-                describe: 'Path to the email message file in EML format. If not specified then content is read from stdin'
+                describe: 'Path to the email message file in EML format. If not specified, the content is read from standard input.'
             });
         },
         argv => {
@@ -388,7 +384,7 @@ const argv = yargs(hideBin(process.argv))
                 })
                 .catch(err => {
                     if (!err.suppress) {
-                        console.error('Failed to calculate body hash for the input message');
+                        console.error('Failed to calculate the body hash for the input message.');
                         console.error(err);
                     }
                     process.exit(1);
@@ -397,17 +393,17 @@ const argv = yargs(hideBin(process.argv))
     )
     .command(
         ['license'],
-        'Show license information',
+        'Display license information for mailauth and included modules',
         () => false,
         () => {
             fs.readFile(pathlib.join(__dirname, '..', 'LICENSE.txt'), (err, license) => {
                 if (err) {
-                    console.error('Failed to load license information');
+                    console.error('Failed to load license information.');
                     console.error(err);
                     return process.exit(1);
                 }
 
-                console.error('Mailauth License');
+                console.error('mailauth License');
                 console.error('================');
 
                 console.error(license.toString().trim());
@@ -416,7 +412,7 @@ const argv = yargs(hideBin(process.argv))
 
                 fs.readFile(pathlib.join(__dirname, '..', 'licenses.txt'), (err, data) => {
                     if (err) {
-                        console.error('Failed to load license information');
+                        console.error('Failed to load included modules license information.');
                         console.error(err);
                         return process.exit(1);
                     }
@@ -433,7 +429,7 @@ const argv = yargs(hideBin(process.argv))
     .option('verbose', {
         alias: 'v',
         type: 'boolean',
-        description: 'Run with verbose logging'
+        description: 'Enable verbose logging for debugging purposes.'
     }).argv;
 
 assert.ok(argv);

package/cli.md

@@ -1,351 +1,355 @@
-![](https://github.com/postalsys/mailauth/raw/master/assets/mailauth.png)
+# mailauth CLI Usage
 
-Command line utility and a [Node.js library](README.md) for email authentication.
+![mailauth Logo](https://github.com/postalsys/mailauth/raw/master/assets/mailauth.png)
 
-# CLI USAGE
+mailauth provides a command-line utility for email authentication, complementing its [Node.js library](README.md). This guide explains how to use the mailauth CLI to perform various email authentication tasks.
 
-## TOC
+## Table of Contents
 
 -   [Installation](#installation)
--   [Help](#help)
--   [Available commands](#available-commands)
-    -   [report](#report) – to validate SPF, DKIM, DMARC, ARC
-    -   [sign](#sign) - to sign an email with DKIM
-    -   [seal](#seal) - to seal an email with ARC
-    -   [spf](#spf) - to validate SPF for an IP address and an email address
-    -   [vmc](#vmc) - to validate BIMI VMC logo files
-    -   [bodyhash](#bodyhash) - to generate the signature body hash value for an email
-    -   [license](#license) - display licenses for `mailauth` and included modules
--   [DNS cache file](#dns-cache-file)
+-   [Getting Help](#getting-help)
+-   [Available Commands](#available-commands)
+    -   [`report`](#report) — Validate SPF, DKIM, DMARC, ARC, and BIMI
+    -   [`sign`](#sign) — Sign an email with DKIM
+    -   [`seal`](#seal) — Seal an email with ARC
+    -   [`spf`](#spf) — Validate SPF for an IP address and email address
+    -   [`vmc`](#vmc) — Validate BIMI VMC logo files
+    -   [`bodyhash`](#bodyhash) — Generate the body hash value for an email
+    -   [`license`](#license) — Display licenses for mailauth and included modules
+-   [DNS Cache File](#dns-cache-file)
+-   [License](#license)
 
 ## Installation
 
-Download `mailauth` for your platform:
+Install the mailauth CLI by downloading the appropriate package for your platform or via npm:
 
--   MacOS
+-   **MacOS:**
     -   [Intel processors](https://github.com/postalsys/mailauth/releases/latest/download/mailauth.pkg)
     -   [Apple silicon](https://github.com/postalsys/mailauth/releases/latest/download/mailauth-arm.pkg)
--   [Linux](https://github.com/postalsys/mailauth/releases/latest/download/mailauth.tar.gz)
--   [Windows](https://github.com/postalsys/mailauth/releases/latest/download/mailauth.exe)
--   Or install from the NPM registry: `npm install -g mailauth`
+-   **Linux:**
+    -   [Download mailauth.tar.gz](https://github.com/postalsys/mailauth/releases/latest/download/mailauth.tar.gz)
+-   **Windows:**
+    -   [Download mailauth.exe](https://github.com/postalsys/mailauth/releases/latest/download/mailauth.exe)
+-   **NPM Registry:**
 
-## Help
+    -   Install globally using npm:
 
+        ```bash
+        npm install -g mailauth
+        ```
+
+## Getting Help
+
+To display help information for the mailauth CLI or any specific command, use the `--help` flag:
+
+```bash
+mailauth --help
+mailauth report --help
+mailauth sign --help
+mailauth seal --help
+mailauth spf --help
 ```
-$ mailauth --help
-$ mailauth report --help
-$ mailauth sign --help
-$ mailauth seal --help
-$ mailauth spf --help
-```
 
-## Available commands
+## Available Commands
+
+The mailauth CLI offers several commands to perform different email authentication tasks:
+
+1. [`report`](#report) — Validate SPF, DKIM, DMARC, ARC, and BIMI.
+2. [`sign`](#sign) — Sign an email with DKIM.
+3. [`seal`](#seal) — Seal an email with ARC.
+4. [`spf`](#spf) — Validate SPF for an IP address and email address.
+5. [`vmc`](#vmc) — Validate BIMI VMC logo files.
+6. [`bodyhash`](#bodyhash) — Generate the body hash value for an email.
+7. [`license`](#license) — Display licenses for mailauth and included modules.
 
 ### report
 
-`report` command takes an email message and returns a JSON formatted report for SPF, DKIM, ARC, DMARC and BIMI. Not all reports might make sense for your use case, eg. SPF check for an outbound message usually gives no useful info, so you can ignore the parts you're not interested in.
+The `report` command analyzes an email message and returns a JSON-formatted report detailing the results of SPF, DKIM, DMARC, ARC, and BIMI validations.
 
-```
-$ mailauth report [options] [email]
+#### Usage
+
+```bash
+mailauth report [options] [email]
 ```
 
-Where
+-   **email**: (Optional) Path to the EML-formatted email message file. If omitted, the email is read from standard input.
 
--   **options** are option flags and arguments
--   **email** is the path to EML formatted email message file. If not provided then email message is read from standard input
+#### Options
 
-**Options**
+-   `--client-ip x.x.x.x`, `-i x.x.x.x`: IP address of the remote client that sent the email. If not provided, it's parsed from the latest `Received` header.
+-   `--sender user@example.com`, `-f user@example.com`: Email address from the MAIL FROM command. If not provided, it's parsed from the latest `Return-Path` header.
+-   `--helo hostname`, `-e hostname`: Hostname from the HELO/EHLO command. Used in some SPF validations.
+-   `--mta hostname`, `-m hostname`: Hostname of the server performing validations. Defaults to the local hostname.
+-   `--dns-cache /path/to/dns.json`, `-n /path/to/dns.json`: Path to a DNS cache file. When provided, DNS queries use cached responses.
+-   `--verbose`, `-v`: Enables verbose output, displaying debugging information.
+-   `--max-lookups number`, `-x number`: Sets the maximum number of DNS lookups for SPF checks. Defaults to `10`.
+-   `--max-void-lookups number`, `-z number`: Sets the maximum number of void DNS lookups for SPF checks. Defaults to `2`.
 
--   `--client-ip x.x.x.x` or `-i x.x.x.x` is the IP of the remote client that sent the email. If not provided then it is parsed from the latest `Received` header
--   `--sender user@example.com` or `-f address` is the email address from the MAIL FROM command. If not provided then it is parsed from the latest Return-Path header
--   `--helo hostname` or `-e hostname` is the client hostname from the HELO/EHLO command. Used in some obscure SPF validation operations
--   `--mta hostname` or `-m hostname` is the server hostname doing the validation checks. Defaults to `os.hostname()`
--   `--dns-cache /path/to/dns.json` or `-n path` is the path to a file with cached DNS query responses. If this file is provided then no actual DNS requests are performed, only cached values from this file are used.
--   `--verbose` or `-v` if this flag is set then mailauth writes some debugging info to standard error
--   `--max-lookups nr` or `-x nr` defines the allowed DNS lookup limit for SPF checks. Defaults to 10.
--   `--max-void-lookups nr` or `-z nr` defines the allowed DNS lookup limit for SPF checks. Defaults to 2.
+#### Example
 
-**Example**
+```bash
+mailauth report --verbose --dns-cache examples/dns-cache.json test/fixtures/message2.eml
+```
+
+**Sample Output:**
 
 ```
-$ mailauth report --verbose --dns-cache examples/dns-cache.json test/fixtures/message2.eml
 Reading email message from test/fixtures/message2.eml
 DNS query for TXT mail.projectpending.com: not found
 DNS query for TXT _dmarc.projectpending.com: not found
 {
   "receivedChain": [
-  ...
+    "..."
+  ]
+}
 ```
 
-See full example for DKIM checks [here](https://gist.github.com/andris9/8d4ab527282041f6725a640d80da4872).
+For a detailed example of DKIM checks, refer to [this gist](https://gist.github.com/andris9/8d4ab527282041f6725a640d80da4872).
 
 ### sign
 
-`sign` command takes an email message and signs it with a DKIM digital signature.
+The `sign` command signs an email message using a DKIM signature.
 
-```
-$ mailauth sign [options] [email]
+#### Usage
+
+```bash
+mailauth sign [options] [email]
 ```
 
-Where
+-   **email**: (Optional) Path to the EML-formatted email message file. If omitted, the email is read from standard input.
 
--   **options** are option flags and arguments
--   **email** is the path to EML formatted email message file. If not provided then email message is read from standard input
+#### Options
 
-**Options**
+-   `--private-key /path/to/private.key`, `-k /path/to/private.key`: Path to the private key used for signing.
+-   `--domain example.com`, `-d example.com`: Domain name for the DKIM signature (`d=` tag).
+-   `--selector selector`, `-s selector`: Selector for the DKIM key (`s=` tag).
+-   `--algo algorithm`, `-a algorithm`: Signing algorithm (e.g., `rsa-sha256`). Defaults based on the private key type.
+-   `--canonicalization method`, `-c method`: Canonicalization method (e.g., `relaxed/relaxed`). Defaults to `relaxed/relaxed`.
+-   `--time timestamp`, `-t timestamp`: Signing time as a Unix timestamp (`t=` tag).
+-   `--header-fields "field1:field2"`, `-h "field1:field2"`: Colon-separated list of header fields to include in the signature (`h=` tag).
+-   `--body-length length`, `-l length`: Maximum length of the body to include in the signature (`l=` tag).
+-   `--headers-only`, `-o`: Outputs only the DKIM signature headers without the entire message.
 
--   `--private-key /path` or `-k /path` is the path to a private key for signing
--   `--domain example.com` or `-d example.com` is the domain name for signing (d= tag)
--   `--selector xxx` or `-s xxx` is the key selector name for signing (s= tag)
--   `--algo rsa-sha256` or `-a rsa-sha256` is the signing algorithm. Defaults either to "rsa-sha256" or
-    "ed25519-sha256" depending on the private key format (a= tag)
--   `--canonicalization algo` or `-c algo` is the canonicalization algorithm, defaults to "relaxed/relaxed" (c= tag)
--   `--time 12345` or `-t 12345` is the signing time as a unix timestamp (t= tag)
--   `--header-fields "message-id:date"` or `-h keys` is a colon separated list of header field names to sign (h= tag)
--   `--body-length 12345` or `-l 12345` is the maximum length of canonicalizated body to sign (l= tag)
--   `--headers-only` or `-o` If set return signing headers only. Default is to return the entire message.
+#### Example
 
-**Example**
+```bash
+mailauth sign /path/to/message.eml --domain example.com --selector s1 --private-key /path/to/private.key --verbose
+```
+
+**Sample Output:**
 
 ```
-$ mailauth sign /path/message.eml --domain kreata.ee --selector test --privateKey /path/private-rsa.pem --verbose
-Reading email message from /path/message.eml
-Signing domain:             kreata.ee
-Key selector:               test
+Reading email message from /path/to/message.eml
+Signing domain:             example.com
+Key selector:               s1
 Canonicalization algorithm: relaxed/relaxed
 Hashing algorithm:          rsa-sha256
-Signing time:               2020-12-03T23:00:14.956Z
+Signing time:               2023-03-15T12:00:00.000Z
 --------
-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kreata.ee;
- h=MIME-Version: Date: Message-ID: Subject: To: From: Content-Type;
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;
+ h=MIME-Version:Date:Message-ID:Subject:To:From:Content-Type;
  ...
 ```
 
 ### seal
 
-`seal` command takes an email message and seals it with an ARC digital signature.
+The `seal` command adds an ARC (Authenticated Received Chain) seal to an email message.
 
-```
-$ mailauth seal [options] [email]
+#### Usage
+
+```bash
+mailauth seal [options] [email]
 ```
 
-Where
+-   **email**: (Optional) Path to the EML-formatted email message file. If omitted, the email is read from standard input.
 
--   **options** are option flags and arguments
--   **email** is the path to EML formatted email message file. If not provided then email message is read from standard input
+#### Options
 
-**Options**
+**Sealing Options:**
 
-As the emails needs to be authenticated before sealing then `seal` command expects in additon to sealing key information also the authentication options from the `report` command.
+-   `--private-key /path/to/private.key`, `-k /path/to/private.key`: Path to the private key used for sealing.
+-   `--domain example.com`, `-d example.com`: Domain name for the ARC seal (`d=` tag).
+-   `--selector selector`, `-s selector`: Selector for the ARC key (`s=` tag).
+-   `--algo algorithm`, `-a algorithm`: Sealing algorithm (e.g., `rsa-sha256`). Defaults based on the private key type.
+-   `--time timestamp`, `-t timestamp`: Sealing time as a Unix timestamp (`t=` tag).
+-   `--header-fields "field1:field2"`, `-h "field1:field2"`: Colon-separated list of header fields to include in the seal (`h=` tag).
+-   `--headers-only`, `-o`: Outputs only the ARC seal headers without the entire message.
 
--   `--private-key /path` or `-k /path` is the path to a private key for sealing
--   `--domain example.com` or `-d example.com` is the domain name for sealing (d= tag)
--   `--selector xxx` or `-s xxx` is the key selector name for sealing (s= tag)
--   `--algo rsa-sha256` or `-a rsa-sha256` is the sealing algorithm. Defaults either to "rsa-sha256" or
-    "ed25519-sha256" depending on the private key format (a= tag)
--   `--time 12345` or `-t 12345` is the sealing time as a unix timestamp (t= tag)
--   `--header-fields "message-id:date"` or `-h keys` is a colon separated list of header field names to seal (h= tag)
--   `--client-ip x.x.x.x` or `-i x.x.x.x` is the IP of the remote client that sent the email. If not provided then it is parsed from the latest `Received` header
--   `--sender user@example.com` or `-f address` is the email address from the MAIL FROM command. If not provided then it is parsed from the latest Return-Path header
--   `--helo hostname` or `-e hostname` is the client hostname from the HELO/EHLO command. Used in some obscure SPF validation operations
--   `--mta hostname` or `-m hostname` is the server hostname doing the validation checks. Defaults to `os.hostname()`
--   `--dns-cache /path/to/dns.json` or `-n path` is the path to a file with cached DNS query responses. If this file is provided then no actual DNS requests are performed, only cached values from this file are used.
--   `--headers-only` or `-o` If set return signing headers only. Default is to return the entire message.
+**Authentication Options (from `report` command):**
 
-> Canonicalization (c= tag) is always "relaxed/relaxed" when sealing, this can not be changed
+-   `--client-ip x.x.x.x`, `-i x.x.x.x`: IP address of the remote client that sent the email.
+-   `--sender user@example.com`, `-f user@example.com`: Email address from the MAIL FROM command.
+-   `--helo hostname`, `-e hostname`: Hostname from the HELO/EHLO command.
+-   `--mta hostname`, `-m hostname`: Hostname of the server performing validations.
+-   `--dns-cache /path/to/dns.json`, `-n /path/to/dns.json`: Path to a DNS cache file.
+-   `--verbose`, `-v`: Enables verbose output.
 
-**Example**
+**Note:** The canonicalization method (`c=` tag) for ARC sealing is always `relaxed/relaxed` and cannot be changed.
 
+#### Example
+
+```bash
+mailauth seal /path/to/message.eml --domain example.com --selector s1 --private-key /path/to/private.key --verbose
 ```
-$ mailauth seal /path/message.eml --domain kreata.ee --selector test --privateKey /path/private-rsa.pem --verbose
-Reading email message from /path/message.eml
-Signing domain:             kreata.ee
-Key selector:               test
+
+**Sample Output:**
+
+```
+Reading email message from /path/to/message.eml
+Signing domain:             example.com
+Key selector:               s1
 Canonicalization algorithm: relaxed/relaxed
 Hashing algorithm:          rsa-sha256
-Signing time:               2020-12-03T23:04:41.082Z
+Sealing time:               2023-03-15T12:05:00.000Z
 --------
-ARC-Seal: i=3; a=rsa-sha256; t=1607036681; cv=pass; d=kreata.ee; s=test;
+ARC-Seal: i=3; a=rsa-sha256; t=1678884300; cv=pass; d=example.com; s=s1;
  b=Fo3hayVos+J77lzzgmr6J92gsUBKlPt/ZkoQt9ZCi514zy8+1WLvTHmI8CMUXAcegdcqP0NHt
  ...
 ```
 
 ### spf
 
-`spf` command takes an email address and an IP address and returns a JSON formatted SPF report.
+The `spf` command checks the SPF (Sender Policy Framework) record for a given email address and IP address.
 
-```
-$ mailauth spf [options]
+#### Usage
+
+```bash
+mailauth spf [options]
 ```
 
-Where
+#### Options
 
--   **options** are option flags and arguments
+-   `--sender user@example.com`, `-f user@example.com`: Email address from the MAIL FROM command. **Required.**
+-   `--client-ip x.x.x.x`, `-i x.x.x.x`: IP address of the remote client that sent the email. **Required.**
+-   `--helo hostname`, `-e hostname`: Hostname from the HELO/EHLO command.
+-   `--mta hostname`, `-m hostname`: Hostname of the server performing the SPF check.
+-   `--dns-cache /path/to/dns.json`, `-n /path/to/dns.json`: Path to a DNS cache file.
+-   `--verbose`, `-v`: Enables verbose output.
+-   `--headers-only`, `-o`: Outputs only the SPF authentication header.
+-   `--max-lookups number`, `-x number`: Sets the maximum number of DNS lookups. Defaults to `10`.
+-   `--max-void-lookups number`, `-z number`: Sets the maximum number of void DNS lookups. Defaults to `2`.
 
-**Options**
+#### Example
 
--   `--sender user@example.com` or `-f address` is the email address from the MAIL FROM command. Required.
--   `--client-ip x.x.x.x` or `-i x.x.x.x` is the IP of the remote client that sent the email. Required.
--   `--helo hostname` or `-e hostname` is the client hostname from the HELO/EHLO command. Used in some obscure SPF validation operations
--   `--mta hostname` or `-m hostname` is the server hostname doing the validation checks. Defaults to `os.hostname()`. Used in authentication headers.
--   `--dns-cache /path/to/dns.json` or `-n path` is the path to a file with cached DNS query responses. If this file is provided then no actual DNS requests are performed, only cached values from this file are used.
--   `--verbose` or `-v` if this flag is set then mailauth writes some debugging info to standard error
--   `--headers-only` or `-o` If set return SPF authentication header only. Default is to return a JSON structure.
--   `--max-lookups nr` or `-x nr` defines the allowed DNS lookup limit for SPF checks. Defaults to 10.
--   `--max-void-lookups nr` or `-z nr` defines the allowed DNS lookup limit for SPF checks. Defaults to 2.
+```bash
+mailauth spf --verbose -f user@example.com -i 192.0.2.1
+```
 
-**Example**
+**Sample Output:**
 
 ```
-$ mailauth spf --verbose -f andris@wildduck.email -i 217.146.76.20
-Checking SPF for andris@wildduck.email
+Checking SPF for user@example.com
 Maximum DNS lookups: 10
 --------
-DNS query for TXT wildduck.email: [["v=spf1 mx a -all"]]
-DNS query for MX wildduck.email: [{"exchange":"mail.wildduck.email","priority":1}]
-DNS query for A mail.wildduck.email: ["217.146.76.20"]
+DNS query for TXT example.com: [["v=spf1 include:_spf.example.com -all"]]
+DNS query for TXT _spf.example.com: [["v=spf1 ip4:192.0.2.0/24 -all"]]
 {
-  "domain": "wildduck.email",
-  "client-ip": "217.146.76.20",
-  ...
+  "domain": "example.com",
+  "client-ip": "192.0.2.1",
+  "result": "pass",
+  "..."
+}
 ```
 
 ### vmc
 
-`vmc` command takes either the URL for a VMC file or a file path or both. It then verifies if the VMC resource is a valid file or not and exposes its contents.
+The `vmc` command validates a Verified Mark Certificate (VMC) used in BIMI (Brand Indicators for Message Identification).
 
-```
-$ mailauth vmc [options]
-```
-
-Where
+#### Usage
 
--   **options** are option flags and arguments
+```bash
+mailauth vmc [options]
+```
 
-**Options**
+#### Options
 
--   `--authority <url>` or `-a <url>` is the URL for the VMC resource
--   `--authorityPath <path>` or `-p <path>` is the cached file for the authority URL to avoid network requests
--   `--domain <domain>` or `-d <domain>` is the sender domain to compare the certificate against
+-   `--authority <url>`, `-a <url>`: URL of the VMC resource.
+-   `--authorityPath <path>`, `-p <path>`: Path to a local VMC file, used to avoid network requests.
+-   `--domain <domain>`, `-d <domain>`: Sender domain to validate against the certificate.
 
-**Example**
+#### Example
 
-```
-$ mailauth vmc -a https://amplify.valimail.com/bimi/time-warner/yV3KRIg4nJW-cnn.pem -d cnn.com
-{
-  "url": "https://amplify.valimail.com/bimi/time-warner/yV3KRIg4nJW-cnn.pem",
-  "success": true,
-  "domainVerified": true,
-  "vmc": {
-    "mediaType": "image/svg+xml",
-    "hashAlgo": "sha1",
-    "hashValue": "ea8c81da633c66a16262134a78576cdf067638e9",
-    "logoFile": "<2300B base64 encoded file>",
-    "validHash": true,
-    "certificate": {
-      "subject": {
-        "businessCategory": "Private Organization",
-        "jurisdictionCountryName": "US",
-        "jurisdictionStateOrProvinceName": "Delaware",
-        "serialNumber": "2976730",
-        "countryName": "US",
-        "stateOrProvinceName": "Georgia",
-        "localityName": "Atlanta",
-        "street": "190 Marietta St NW",
-        "organizationName": "Cable News Network, Inc.",
-        "commonName": "Cable News Network, Inc.",
-        "trademarkCountryOrRegionName": "US",
-        "trademarkRegistration": "5817930"
-      },
-      "subjectAltName": [
-        "cnn.com"
-      ],
-      "fingerprint": "17:B3:94:97:E6:6B:C8:6B:33:B8:0A:D2:F0:79:6B:08:A2:A6:84:BD",
-      "serialNumber": "0821B8FE0A9CBC3BAC10DA08C088EEF4",
-      "validFrom": "2021-08-12T00:00:00.000Z",
-      "validTo": "2022-08-12T23:59:59.000Z",
-      "issuer": {
-        "countryName": "US",
-        "organizationName": "DigiCert, Inc.",
-        "commonName": "DigiCert Verified Mark RSA4096 SHA256 2021 CA1"
-      }
-    }
-  }
-}
+```bash
+mailauth vmc -a https://example.com/path/to/vmc.pem -d example.com
 ```
 
-If the certificate verification fails, then the logo contents are not returned.
+**Sample Output:**
 
-```
-$ mailauth vmc -p /path/to/random/cert-bundle.pem
+```json
 {
-  "success": false,
-  "error": {
-    "message": "Self signed certificate in certificate chain",
-    "details": {
-      "certificate": {
-        "subject": {
-          "commonName": "postal.vmc.local",
-          "organizationName": "Postal Systems OU.",
-          "countryName": "EE"
-        },
-        "subjectAltName": [],
-        "fingerprint": "CC:49:83:ED:3F:6B:77:45:5B:A5:3B:9E:EC:99:0E:A1:EF:D7:FF:97",
-        "serialNumber": "B61FBFBA917B15D9",
-        "validFrom": "2022-07-09T06:13:33.000Z",
-        "validTo": "2023-07-09T06:13:33.000Z",
-        "issuer": {
-          "commonName": "postal.vmc.local",
-          "organizationName": "Postal Systems OU.",
-          "countryName": "EE"
+    "url": "https://example.com/path/to/vmc.pem",
+    "success": true,
+    "domainVerified": true,
+    "vmc": {
+        "mediaType": "image/svg+xml",
+        "hashAlgo": "sha256",
+        "hashValue": "abc123...",
+        "logoFile": "<Base64 encoded SVG>",
+        "validHash": true,
+        "type": "VMC",
+        "certificate": {
+            "subject": {
+                "commonName": "Example Inc.",
+                "markType": "Registered Mark",
+                "..."
+            },
+            "subjectAltName": ["example.com"],
+            "fingerprint": "12:34:56:78:9A:BC:DE:F0...",
+            "serialNumber": "0123456789ABCDEF",
+            "validFrom": "2023-01-01T00:00:00.000Z",
+            "validTo": "2024-01-01T23:59:59.000Z",
+            "issuer": {
+                "commonName": "Trusted CA"
+                "..."
+            }
         }
-      }
-    },
-    "code": "SELF_SIGNED_CERT_IN_CHAIN"
-  }
+    }
 }
 ```
 
-The embedded SVG file is also validated.
+If validation fails, the output includes error details:
 
-```
-$ mailauth vmc -p /path/to/vmc-with-invalid-svg.pem
+```json
 {
-  "success": false,
-  "error": {
-    "message": "VMC logo SVG validation failed",
-    "details": {
-      "message": "Not a Tiny PS profile",
-      "code": "INVALID_BASE_PROFILE"
-    },
-    "code": "SVG_VALIDATION_FAILED"
-  }
+    "success": false,
+    "error": {
+        "message": "Self signed certificate in certificate chain",
+        "details": {
+            "..."
+        },
+        "code": "SELF_SIGNED_CERT_IN_CHAIN"
+    }
 }
 ```
 
 ### bodyhash
 
-`bodyhash` command takes an email message and calculates the body hash value for it
+The `bodyhash` command computes the body hash value of an email message, which is used in DKIM signatures.
 
-```
-$ mailauth bodyhash [options] [email]
+#### Usage
+
+```bash
+mailauth bodyhash [options] [email]
 ```
 
-Where
+-   **email**: (Optional) Path to the EML-formatted email message file. If omitted, the email is read from standard input.
 
--   **options** are option flags and arguments
--   **email** is the path to EML formatted email message file. If not provided then email message is read from standard input
+#### Options
 
-**Options**
+-   `--algo algorithm`, `-a algorithm`: Hashing algorithm (e.g., `sha256`). Defaults to `sha256`. Can also specify DKIM-style algorithms (e.g., `rsa-sha256`).
+-   `--canonicalization method`, `-c method`: Body canonicalization method (e.g., `relaxed`). Defaults to `relaxed`. Can use DKIM-style (e.g., `relaxed/relaxed`).
+-   `--body-length length`, `-l length`: Maximum length of the body to hash (`l=` tag).
+-   `--verbose`, `-v`: Enables verbose output.
 
--   `--algo sha256` or `-a sha256` is the signing algorithm. Defaults to "sha256". Can also use the a= tag format ("rsa-sha256").
--   `--canonicalization algo` or `-c algo` is the body canonicalization algorithm, defaults to "relaxed". Can also use the c= tag format ("relaxed/relaxed").
--   `--body-length 12345` or `-l 12345` is the maximum length of canonicalizated body to sign (l= tag)
+#### Example
+
+```bash
+mailauth bodyhash /path/to/message.eml -a sha1 --verbose
+```
 
-**Example**
+**Sample Output:**
 
 ```
-$ mailauth bodyhash /path/message.eml -a sha1 --verbose
 Hashing algorithm:               sha1
 Body canonicalization algorithm: relaxed
 --------
@@ -354,37 +358,67 @@ j+dD7whKXS1yDmyoWtvClYSyYiQ=
 
 ### license
 
-Display licenses for `mailauth` and included modules.
+The `license` command displays the licenses for mailauth and its included modules.
 
-```
-$ mailauth licenses
+#### Usage
+
+```bash
+mailauth license
 ```
 
-## DNS cache file
+#### Example
 
-In general you would use the `--dns-cache` option only when testing. This way you can provide different kind of DNS responses without actually setting up a DNS server and unlike when using real DNS you do not have to wait for the changes in the DNS server to propagate – whatever is in the provided cache file, is used for the DNS query responses.
+```bash
+mailauth license
+```
 
-DNS cache file includes a JSON encoded object where main keys are the domain names (eg. `"_dmarc.example.com"`), sub keys are resource record types (eg. `"TXT"`) and values are the corresponding values as provided by the [dns module](https://nodejs.org/api/dns.html#dns_dns_resolvetxt_hostname_callback).
+**Sample Output:**
 
-```json
-{
-    "full_domain_name": {
-        "TXT": [["string1"]]
-    }
-}
 ```
+mailauth License: MIT License
+Included Modules:
+- module1: MIT License
+- module2: Apache License 2.0
+...
+```
+
+## DNS Cache File
+
+The `--dns-cache` option allows you to use a JSON-formatted DNS cache file for testing purposes. This avoids the need to set up a DNS server or wait for DNS propagation.
+
+### Format
+
+The DNS cache file is a JSON object where:
 
-**Example**
+-   **Keys**: Fully qualified domain names (e.g., `"example.com"`).
+-   **Values**: Objects with DNS record types as keys (e.g., `"TXT"`, `"MX"`) and their corresponding values.
 
-This example provides SPF and DMARC policy records for "example.com":
+**Example:**
 
 ```json
 {
     "example.com": {
-        "TXT": [["v=spf1 include:_spf.google.com include:sendgrid.net", " include:servers.mcsv.net include:servers.outfunnel.com ip4:18.194.223.2 ~all"]]
+        "TXT": [["v=spf1 include:_spf.example.com -all"]],
+        "MX": [{ "exchange": "mail.example.com", "priority": 10 }]
     },
     "_dmarc.example.com": {
-        "TXT": [["v=DMARC1; p=reject; sp=reject;"]]
+        "TXT": [["v=DMARC1; p=reject; rua=mailto:dmarc@example.com;"]]
     }
 }
 ```
+
+### Usage
+
+Specify the DNS cache file using the `--dns-cache` option:
+
+```bash
+mailauth report --dns-cache /path/to/dns-cache.json email.eml
+```
+
+When this option is used, mailauth will not perform actual DNS queries but will use the data from the cache file instead.
+
+## License
+
+&copy; 2020-2024 Postal Systems OÜ
+
+Licensed under the [MIT License](LICENSE).

package/lib/arc/index.js

@@ -78,6 +78,8 @@ const verifyAS = async (chain, opts) => {
 const signAS = async (chain, entry, signatureData) => {
     let { instance, algorithm, selector, signingDomain, bodyHash, cv, signTime, privateKey } = signatureData;
 
+    instance = instance || 1;
+
     const signAlgo = algorithm?.split('-').shift();
 
     signTime = signTime || new Date();
@@ -497,6 +499,8 @@ const createSeal = async (input, data) => {
         await dkimSigner.finalize();
     }
 
+    seal.i = seal.i || 1;
+
     const authResults = `ARC-Authentication-Results: i=${seal.i}; ${seal.authResults}`;
 
     // Step 2. Calculate ARC-Seal

package/lib/dkim/dkim-signer.js

@@ -266,7 +266,7 @@ class DkimSigner extends MessageParser {
                     {},
                     signatureData,
                     {
-                        instance: this.arc?.instance, // ARC only
+                        instance: 'instance' in this.arc && (this.arc.instance || 1), // ARC only
                         algorithm,
                         canonicalization: this.getCanonicalization(signatureData).canonicalization,
 

package/man/mailauth.1

@@ -1,4 +1,4 @@
-.TH "MAILAUTH" "1" "November 2024" "v4.8.0" "Mailauth Help"
+.TH "MAILAUTH" "1" "December 2024" "v4.8.2" "Mailauth Help"
 .SH "NAME"
 \fBmailauth\fR
 .QP

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "mailauth",
-    "version": "4.8.0",
+    "version": "4.8.2",
     "description": "Email authentication library for Node.js",
     "main": "lib/mailauth.js",
     "scripts": {
@@ -38,21 +38,21 @@
         "eslint-config-nodemailer": "1.2.0",
         "eslint-config-prettier": "9.1.0",
         "js-yaml": "4.1.0",
-        "license-report": "6.7.0",
+        "license-report": "6.7.1",
         "marked": "0.7.0",
         "marked-man": "0.7.0",
         "mbox-reader": "1.2.0",
-        "mocha": "10.8.2"
+        "mocha": "11.0.1"
     },
     "dependencies": {
         "@postalsys/vmc": "1.1.0",
-        "fast-xml-parser": "4.5.0",
+        "fast-xml-parser": "4.5.1",
         "ipaddr.js": "2.2.0",
         "joi": "17.13.3",
-        "libmime": "5.3.5",
+        "libmime": "5.3.6",
         "nodemailer": "6.9.16",
         "punycode.js": "2.3.1",
-        "tldts": "6.1.58",
+        "tldts": "6.1.68",
         "undici": "5.28.4",
         "yargs": "17.7.2"
     },