mailauth 4.9.4 → 4.10.0

package/.ncurc.js

@@ -4,10 +4,6 @@ module.exports = {
         // only works as ESM
         'chai',
         'fast-xml-parser',
-        'yargs',
-
-        // fix later
-        'eslint',
-        'eslint-config-prettier'
+        'yargs'
     ]
 };

package/.prettierignore

@@ -0,0 +1,10 @@
+# Auto-generated files
+CHANGELOG.md
+licenses.txt
+
+# Build output
+ee-dist/
+node_modules/
+
+# Test fixtures with embedded content
+test/fixtures/**/*.yml

package/.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+    ".": "4.10.0"
+}

package/CHANGELOG.md

@@ -1,5 +1,54 @@
 # Changelog
 
+## [4.10.0](https://github.com/postalsys/mailauth/compare/mailauth-v4.9.5...mailauth-v4.10.0) (2025-10-31)
+
+
+### Features
+
+* added `forwardemail.net` to ARC trusted list ([#86](https://github.com/postalsys/mailauth/issues/86)) ([8cb577b](https://github.com/postalsys/mailauth/commit/8cb577b5cceaf0a61f02744811ad2f9533550032))
+* **cert-type:** BIMI authority information includes the type of the cert ('VMC' or 'CMC') ([0dd8db8](https://github.com/postalsys/mailauth/commit/0dd8db81b2ffc8b9d84d1a4396c65bfa9a347088))
+* **deploy:** Set up automatic publishing ([f9b9c32](https://github.com/postalsys/mailauth/commit/f9b9c325e4dbac060114aa12c5887ea8c92c0bf8))
+* **dkim-sign:** Added new Transfor stream class DkimSignStream to sign emails in a stream processing pipeline ([130a1a3](https://github.com/postalsys/mailauth/commit/130a1a3812fac2ad710f244510ca60887c2d33a9))
+
+
+### Bug Fixes
+
+* **ARC:** ensure that instance value is 1 if ARC chain does not exist yet ([ab4c5e9](https://github.com/postalsys/mailauth/commit/ab4c5e9ae0158e196b10f346321ca55b8f06c679))
+* **ARC:** Updated built-in trust list for ARC ([ea9fc8c](https://github.com/postalsys/mailauth/commit/ea9fc8c6f8c5609b66053f1ffe95891c0b4efcb7))
+* **bimi:** Bumped VMC module to add support for GLobalSign VMC root ([d0e9ecf](https://github.com/postalsys/mailauth/commit/d0e9ecf89b699aae8ad9953445f052b558250f5a))
+* **bimi:** skip bimi with oversized DKIM signatures ([d666d74](https://github.com/postalsys/mailauth/commit/d666d7476cbcae8b3161c78a7e737559ad112fd9))
+* **BodyHashStream:** Skip header ([3da03d2](https://github.com/postalsys/mailauth/commit/3da03d23baa90acb119c7946c2cd740a72ba069d))
+* bumped 2022 in copyright notices to 2024 ([cc89823](https://github.com/postalsys/mailauth/commit/cc8982349d14b42a28581ebc52aa6de2e11b5be8))
+* bumped deps ([006475e](https://github.com/postalsys/mailauth/commit/006475ee7bbf61a8c7c00de793f4007f66dba61a))
+* **cli:** Updated help strings for the cli script ([8a86e51](https://github.com/postalsys/mailauth/commit/8a86e51bff0300a7daea26062481ac56904202a8))
+* **deps:** Bumped deps to clear out security warnings ([4ca35fe](https://github.com/postalsys/mailauth/commit/4ca35fef37e37ae715c420b8a52c7cb202e4b360))
+* **deps:** Bumped deps to get updated vmc root store ([5ad7464](https://github.com/postalsys/mailauth/commit/5ad746450f97d348217607802e83445e08737faf))
+* **deps:** Removed uuid dependency in favor of crypto.randomUUID() ([0b5d8f5](https://github.com/postalsys/mailauth/commit/0b5d8f5328d0b82f75daea7fdbd74e1e76e8b642))
+* **dkim-relaxed:** Faster DKIM hash calculation for relaxed body if the body contains extremely long lines ([fd8c89e](https://github.com/postalsys/mailauth/commit/fd8c89edd87a114464f99ebf79a1e903a8287876))
+* **dkim-verify:** Show the length of the source body in DKIM results ([d28663b](https://github.com/postalsys/mailauth/commit/d28663b30b0bfaf07d395e9d3eaea044c9085657))
+* **dkim:** Added new output property mimeStructureStart ([8f25353](https://github.com/postalsys/mailauth/commit/8f25353fa6a67ba3e1f0c5091325007b2434a29d))
+* **dkim:** New class BodyHashStream ([88d2fad](https://github.com/postalsys/mailauth/commit/88d2fad329a9a6fc8ebc1da4efc1c4844ae49507))
+* **dkim:** Store byteLength in BodyHashStream ([081f823](https://github.com/postalsys/mailauth/commit/081f82340505d4beb88f12728919d851d35b6576))
+* **dmarc-alignment:** Fixed tldts usage to allow private domains ([cc7dfa8](https://github.com/postalsys/mailauth/commit/cc7dfa8d820c1a4112602340192010354d51cd52))
+* downgraded yargs because of ESM ([215c71a](https://github.com/postalsys/mailauth/commit/215c71aaa108744970533f346408c41b38590500))
+* **ed25519:** Fixed ed25519 signing and verification ([40f1245](https://github.com/postalsys/mailauth/commit/40f12457d8f49f0ea21015fe4203b4de746ab7b8))
+* expose verifyASChain ([#89](https://github.com/postalsys/mailauth/issues/89)) ([cd11d85](https://github.com/postalsys/mailauth/commit/cd11d851f3c8cea125209676f3ba26676c700c5b))
+* protect against prototype pollution ([3b7515d](https://github.com/postalsys/mailauth/commit/3b7515df768ce1d2e4e02858fdfca8efca6243fb))
+* **psl:** Replaced psl module with tldts for up to date public suffix list ([cab894b](https://github.com/postalsys/mailauth/commit/cab894b54a3544b33a641f377783db67a43bec0e))
+* **spf:** expand macros in mx mechanism ([d8c05f9](https://github.com/postalsys/mailauth/commit/d8c05f90589e3fb5a56ecb4498e6dcb795dcc047))
+* **spf:** optimize dual-stack A/AAAA void lookup counting ([3069e5a](https://github.com/postalsys/mailauth/commit/3069e5afa946589e54fe8aec8ffe186d90eca810))
+* use minLength option for rsa keys ([#84](https://github.com/postalsys/mailauth/issues/84)) ([cbfed81](https://github.com/postalsys/mailauth/commit/cbfed816d953eee3c7eed99055c53f689a46a101))
+* ZMS-246: add required policy headers in BIMI for Apple Mail ([#92](https://github.com/postalsys/mailauth/issues/92)) ([f6b3008](https://github.com/postalsys/mailauth/commit/f6b300837f9453877386ce3e76aff80fee01d913))
+* ZMS-262 remove control chars from record add support for mappers in validateTagValueRecord ([#95](https://github.com/postalsys/mailauth/issues/95)) ([42828a6](https://github.com/postalsys/mailauth/commit/42828a6cb38add3aed35881f102488f8143407cb))
+* ZMS-262: Add raw record sanitanization and validation util functions ([#93](https://github.com/postalsys/mailauth/issues/93)) ([e4842cf](https://github.com/postalsys/mailauth/commit/e4842cf222bd6db29f34c25434b5c38c44edefdc))
+
+## [4.9.5](https://github.com/postalsys/mailauth/compare/v4.9.4...v4.9.5) (2025-09-10)
+
+
+### Bug Fixes
+
+* **spf:** expand macros in mx mechanism ([d8c05f9](https://github.com/postalsys/mailauth/commit/d8c05f90589e3fb5a56ecb4498e6dcb795dcc047))
+
 ## [4.9.4](https://github.com/postalsys/mailauth/compare/v4.9.3...v4.9.4) (2025-09-02)
 
 

package/LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2020-2024 Postal Systems OÜ
+Copyright (c) 2020-2025 Postal Systems OÜ
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/README.md

@@ -6,14 +6,14 @@
 
 **Key Features:**
 
--   **SPF** verification
--   **DKIM** signing and verification
--   **DMARC** verification
--   **ARC** verification and sealing
-    -   Sealing during authentication
-    -   Sealing after message modifications
--   **BIMI** resolving and **VMC** validation
--   **MTA-STS** helper functions
+- **SPF** verification
+- **DKIM** signing and verification
+- **DMARC** verification
+- **ARC** verification and sealing
+    - Sealing during authentication
+    - Sealing after message modifications
+- **BIMI** resolving and **VMC** validation
+- **MTA-STS** helper functions
 
 mailauth is a pure JavaScript implementation, requiring no external applications or compilation. It runs on any server or device with Node.js version 16 or later.
 
@@ -73,24 +73,24 @@ await authenticate(message [, options])
 
 #### Parameters
 
--   **message**: A `String`, `Buffer`, or `Readable` stream representing the email message.
--   **options** (optional):
-    -   **sender** (`string`): Email address from the MAIL FROM command. Defaults to the `Return-Path` header if not set.
-    -   **ip** (`string`): IP address of the remote client that sent the message.
-    -   **helo** (`string`): Hostname from the HELO/EHLO command.
-    -   **trustReceived** (`boolean`): If `true`, parses `ip` and `helo` from the latest `Received` header if not provided. Defaults to `false`.
-    -   **mta** (`string`): Hostname of the server performing the authentication. Defaults to `os.hostname()`. Included in Authentication headers.
-    -   **minBitLength** (`number`): Minimum allowed bits for RSA public keys. Defaults to `1024`. Keys with fewer bits will fail validation.
-    -   **disableArc** (`boolean`): If `true`, skips ARC checks.
-    -   **disableDmarc** (`boolean`): If `true`, skips DMARC checks, also disabling dependent checks like BIMI.
-    -   **disableBimi** (`boolean`): If `true`, skips BIMI checks.
-    -   **seal** (`object`): Options for ARC sealing if the message doesn't have a broken ARC chain.
-        -   **signingDomain** (`string`): ARC key domain name.
-        -   **selector** (`string`): ARC key selector.
-        -   **privateKey** (`string` or `Buffer`): Private key for signing (RSA or Ed25519).
-    -   **resolver** (`async function`): Custom DNS resolver function. Defaults to [`dns.promises.resolve`](https://nodejs.org/api/dns.html#dns_dnspromises_resolve_hostname_rrtype).
-    -   **maxResolveCount** (`number`): DNS lookup limit for SPF. Defaults to `10` as per [RFC7208](https://datatracker.ietf.org/doc/html/rfc7208#section-4.6.4).
-    -   **maxVoidCount** (`number`): DNS lookup limit for SPF producing empty results. Defaults to `2` as per [RFC7208](https://datatracker.ietf.org/doc/html/rfc7208#section-4.6.4).
+- **message**: A `String`, `Buffer`, or `Readable` stream representing the email message.
+- **options** (optional):
+    - **sender** (`string`): Email address from the MAIL FROM command. Defaults to the `Return-Path` header if not set.
+    - **ip** (`string`): IP address of the remote client that sent the message.
+    - **helo** (`string`): Hostname from the HELO/EHLO command.
+    - **trustReceived** (`boolean`): If `true`, parses `ip` and `helo` from the latest `Received` header if not provided. Defaults to `false`.
+    - **mta** (`string`): Hostname of the server performing the authentication. Defaults to `os.hostname()`. Included in Authentication headers.
+    - **minBitLength** (`number`): Minimum allowed bits for RSA public keys. Defaults to `1024`. Keys with fewer bits will fail validation.
+    - **disableArc** (`boolean`): If `true`, skips ARC checks.
+    - **disableDmarc** (`boolean`): If `true`, skips DMARC checks, also disabling dependent checks like BIMI.
+    - **disableBimi** (`boolean`): If `true`, skips BIMI checks.
+    - **seal** (`object`): Options for ARC sealing if the message doesn't have a broken ARC chain.
+        - **signingDomain** (`string`): ARC key domain name.
+        - **selector** (`string`): ARC key selector.
+        - **privateKey** (`string` or `Buffer`): Private key for signing (RSA or Ed25519).
+    - **resolver** (`async function`): Custom DNS resolver function. Defaults to [`dns.promises.resolve`](https://nodejs.org/api/dns.html#dns_dnspromises_resolve_hostname_rrtype).
+    - **maxResolveCount** (`number`): DNS lookup limit for SPF. Defaults to `10` as per [RFC7208](https://datatracker.ietf.org/doc/html/rfc7208#section-4.6.4).
+    - **maxVoidCount** (`number`): DNS lookup limit for SPF producing empty results. Defaults to `2` as per [RFC7208](https://datatracker.ietf.org/doc/html/rfc7208#section-4.6.4).
 
 #### Example
 
@@ -155,18 +155,18 @@ const signResult = await dkimSign(message, options);
 
 ##### Parameters
 
--   **message**: A `String`, `Buffer`, or `Readable` stream representing the email message.
--   **options**:
-    -   **canonicalization** (`string`): Canonicalization method. Defaults to `'relaxed/relaxed'`.
-    -   **algorithm** (`string`): Signing and hashing algorithm. Defaults to `'rsa-sha256'`.
-    -   **signTime** (`Date`): Signing time. Defaults to current time.
-    -   **signatureData** (`Array`): Array of signature objects. Each object may contain:
-        -   **signingDomain** (`string`): DKIM key domain name.
-        -   **selector** (`string`): DKIM key selector.
-        -   **privateKey** (`string` or `Buffer`): Private key for signing (RSA or Ed25519).
-        -   **algorithm** (`string`, optional): Overrides parent `algorithm`.
-        -   **canonicalization** (`string`, optional): Overrides parent `canonicalization`.
-        -   **maxBodyLength** (`number`, optional): Maximum number of canonicalized body bytes to sign (`l=` tag). Not recommended for general use.
+- **message**: A `String`, `Buffer`, or `Readable` stream representing the email message.
+- **options**:
+    - **canonicalization** (`string`): Canonicalization method. Defaults to `'relaxed/relaxed'`.
+    - **algorithm** (`string`): Signing and hashing algorithm. Defaults to `'rsa-sha256'`.
+    - **signTime** (`Date`): Signing time. Defaults to current time.
+    - **signatureData** (`Array`): Array of signature objects. Each object may contain:
+        - **signingDomain** (`string`): DKIM key domain name.
+        - **selector** (`string`): DKIM key selector.
+        - **privateKey** (`string` or `Buffer`): Private key for signing (RSA or Ed25519).
+        - **algorithm** (`string`, optional): Overrides parent `algorithm`.
+        - **canonicalization** (`string`, optional): Overrides parent `canonicalization`.
+        - **maxBodyLength** (`number`, optional): Maximum number of canonicalized body bytes to sign (`l=` tag). Not recommended for general use.
 
 ##### Example
 
@@ -286,11 +286,11 @@ const result = await spf(options);
 
 ##### Parameters
 
--   **options**:
-    -   **sender** (`string`): MAIL FROM address.
-    -   **ip** (`string`): SMTP client IP.
-    -   **helo** (`string`): HELO/EHLO hostname.
-    -   **mta** (`string`): Hostname of the MTA performing the check.
+- **options**:
+    - **sender** (`string`): MAIL FROM address.
+    - **ip** (`string`): SMTP client IP.
+    - **helo** (`string`): HELO/EHLO hostname.
+    - **mta** (`string`): Hostname of the MTA performing the check.
 
 ##### Example
 
@@ -433,8 +433,8 @@ const dmarcRecord = await getDmarcRecord(domain [, resolver]);
 
 ###### Parameters
 
--   **domain** (`string`): The domain to check for a DMARC record.
--   **resolver** (`function`, optional): Custom DNS resolver function. Defaults to `dns.resolve`.
+- **domain** (`string`): The domain to check for a DMARC record.
+- **resolver** (`function`, optional): Custom DNS resolver function. Defaults to `dns.resolve`.
 
 ###### Example
 
@@ -486,8 +486,8 @@ if (bimi?.location) {
 
 **Note:**
 
--   The `BIMI-Location` header is ignored by mailauth.
--   The `BIMI-Selector` header can be used for selector selection if available.
+- The `BIMI-Location` header is ignored by mailauth.
+- The `BIMI-Selector` header can be used for selector selection if available.
 
 #### Verified Mark Certificate (VMC)
 
@@ -495,8 +495,8 @@ If an Authority Evidence Document is specified in the BIMI record, its location
 
 **Example Authority Evidence Documents:**
 
--   [CNN's VMC](https://amplify.valimail.com/bimi/time-warner/LysAFUdG-Hw-cnn_vmc.pem)
--   [Entrust's VMC](https://www.entrustdatacard.com/-/media/certificate/Entrust%20VMC%20July%2014%202020.pem)
+- [CNN's VMC](https://amplify.valimail.com/bimi/time-warner/LysAFUdG-Hw-cnn_vmc.pem)
+- [Entrust's VMC](https://www.entrustdatacard.com/-/media/certificate/Entrust%20VMC%20July%2014%202020.pem)
 
 ### MTA-STS
 
@@ -517,8 +517,8 @@ const { policy, status } = await getPolicy(domain [, knownPolicy]);
 
 ##### Parameters
 
--   **domain** (`string`): The domain to retrieve the policy for.
--   **knownPolicy** (`object`, optional): Previously cached policy for the domain.
+- **domain** (`string`): The domain to retrieve the policy for.
+- **knownPolicy** (`object`, optional): Previously cached policy for the domain.
 
 ##### Example
 
@@ -539,11 +539,11 @@ if (policy.mode === 'enforce') {
 
 **Possible Status Values:**
 
--   `"not_found"`: No policy was found.
--   `"cached"`: Existing policy is still valid.
--   `"found"`: New or updated policy found.
--   `"renew"`: Existing policy is valid; renew cache.
--   `"errored"`: Policy discovery failed due to a temporary error.
+- `"not_found"`: No policy was found.
+- `"cached"`: Existing policy is still valid.
+- `"found"`: New or updated policy found.
+- `"renew"`: Existing policy is valid; renew cache.
+- `"errored"`: Policy discovery failed due to a temporary error.
 
 #### MX Validation
 
@@ -560,8 +560,8 @@ const validation = validateMx(mx, policy);
 
 ##### Parameters
 
--   **mx** (`string`): The resolved MX hostname.
--   **policy** (`object`): The MTA-STS policy object.
+- **mx** (`string`): The resolved MX hostname.
+- **policy** (`object`): The MTA-STS policy object.
 
 ##### Example
 
@@ -586,18 +586,18 @@ mailauth uses the following test suites:
 
 Based on the [OpenSPF test suite](http://www.openspf.org/Test_Suite), with some differences:
 
--   Less strict whitespace checks.
--   Some macro tests are skipped.
--   Some tests are skipped where the invalid component is after a matching part.
--   All other tests pass.
+- Less strict whitespace checks.
+- Some macro tests are skipped.
+- Some tests are skipped where the invalid component is after a matching part.
+- All other tests pass.
 
 ### ARC Test Suite from ValiMail
 
 Based on ValiMail's [arc_test_suite](https://github.com/ValiMail/arc_test_suite):
 
--   mailauth is less strict on header tags and casing.
--   Signing test suite is used for input; mailauth validates signatures and checks for the same `cv=` output.
--   All tests pass, aside from minor differences.
+- mailauth is less strict on header tags and casing.
+- Signing test suite is used for input; mailauth validates signatures and checks for the same `cv=` output.
+- All tests pass, aside from minor differences.
 
 ## License
 

package/cli.md

@@ -6,33 +6,32 @@ mailauth provides a command-line utility for email authentication, complementing
 
 ## Table of Contents
 
--   [Installation](#installation)
--   [Getting Help](#getting-help)
--   [Available Commands](#available-commands)
-    -   [`report`](#report) — Validate SPF, DKIM, DMARC, ARC, and BIMI
-    -   [`sign`](#sign) — Sign an email with DKIM
-    -   [`seal`](#seal) — Seal an email with ARC
-    -   [`spf`](#spf) — Validate SPF for an IP address and email address
-    -   [`vmc`](#vmc) — Validate BIMI VMC logo files
-    -   [`bodyhash`](#bodyhash) — Generate the body hash value for an email
-    -   [`license`](#license) — Display licenses for mailauth and included modules
--   [DNS Cache File](#dns-cache-file)
--   [License](#license)
+- [Installation](#installation)
+- [Getting Help](#getting-help)
+- [Available Commands](#available-commands)
+    - [`report`](#report) — Validate SPF, DKIM, DMARC, ARC, and BIMI
+    - [`sign`](#sign) — Sign an email with DKIM
+    - [`seal`](#seal) — Seal an email with ARC
+    - [`spf`](#spf) — Validate SPF for an IP address and email address
+    - [`vmc`](#vmc) — Validate BIMI VMC logo files
+    - [`bodyhash`](#bodyhash) — Generate the body hash value for an email
+    - [`license`](#license) — Display licenses for mailauth and included modules
+- [DNS Cache File](#dns-cache-file)
+- [License](#license)
 
 ## Installation
 
 Install the mailauth CLI by downloading the appropriate package for your platform or via npm:
 
--   **MacOS:**
-    -   [Intel processors](https://github.com/postalsys/mailauth/releases/latest/download/mailauth.pkg)
-    -   [Apple silicon](https://github.com/postalsys/mailauth/releases/latest/download/mailauth-arm.pkg)
--   **Linux:**
-    -   [Download mailauth.tar.gz](https://github.com/postalsys/mailauth/releases/latest/download/mailauth.tar.gz)
--   **Windows:**
-    -   [Download mailauth.exe](https://github.com/postalsys/mailauth/releases/latest/download/mailauth.exe)
--   **NPM Registry:**
-
-    -   Install globally using npm:
+- **MacOS:**
+    - [Intel processors](https://github.com/postalsys/mailauth/releases/latest/download/mailauth.pkg)
+    - [Apple silicon](https://github.com/postalsys/mailauth/releases/latest/download/mailauth-arm.pkg)
+- **Linux:**
+    - [Download mailauth.tar.gz](https://github.com/postalsys/mailauth/releases/latest/download/mailauth.tar.gz)
+- **Windows:**
+    - [Download mailauth.exe](https://github.com/postalsys/mailauth/releases/latest/download/mailauth.exe)
+- **NPM Registry:**
+    - Install globally using npm:
 
         ```bash
         npm install -g mailauth
@@ -72,18 +71,18 @@ The `report` command analyzes an email message and returns a JSON-formatted repo
 mailauth report [options] [email]
 ```
 
--   **email**: (Optional) Path to the EML-formatted email message file. If omitted, the email is read from standard input.
+- **email**: (Optional) Path to the EML-formatted email message file. If omitted, the email is read from standard input.
 
 #### Options
 
--   `--client-ip x.x.x.x`, `-i x.x.x.x`: IP address of the remote client that sent the email. If not provided, it's parsed from the latest `Received` header.
--   `--sender user@example.com`, `-f user@example.com`: Email address from the MAIL FROM command. If not provided, it's parsed from the latest `Return-Path` header.
--   `--helo hostname`, `-e hostname`: Hostname from the HELO/EHLO command. Used in some SPF validations.
--   `--mta hostname`, `-m hostname`: Hostname of the server performing validations. Defaults to the local hostname.
--   `--dns-cache /path/to/dns.json`, `-n /path/to/dns.json`: Path to a DNS cache file. When provided, DNS queries use cached responses.
--   `--verbose`, `-v`: Enables verbose output, displaying debugging information.
--   `--max-lookups number`, `-x number`: Sets the maximum number of DNS lookups for SPF checks. Defaults to `10`.
--   `--max-void-lookups number`, `-z number`: Sets the maximum number of void DNS lookups for SPF checks. Defaults to `2`.
+- `--client-ip x.x.x.x`, `-i x.x.x.x`: IP address of the remote client that sent the email. If not provided, it's parsed from the latest `Received` header.
+- `--sender user@example.com`, `-f user@example.com`: Email address from the MAIL FROM command. If not provided, it's parsed from the latest `Return-Path` header.
+- `--helo hostname`, `-e hostname`: Hostname from the HELO/EHLO command. Used in some SPF validations.
+- `--mta hostname`, `-m hostname`: Hostname of the server performing validations. Defaults to the local hostname.
+- `--dns-cache /path/to/dns.json`, `-n /path/to/dns.json`: Path to a DNS cache file. When provided, DNS queries use cached responses.
+- `--verbose`, `-v`: Enables verbose output, displaying debugging information.
+- `--max-lookups number`, `-x number`: Sets the maximum number of DNS lookups for SPF checks. Defaults to `10`.
+- `--max-void-lookups number`, `-z number`: Sets the maximum number of void DNS lookups for SPF checks. Defaults to `2`.
 
 #### Example
 
@@ -116,19 +115,19 @@ The `sign` command signs an email message using a DKIM signature.
 mailauth sign [options] [email]
 ```
 
--   **email**: (Optional) Path to the EML-formatted email message file. If omitted, the email is read from standard input.
+- **email**: (Optional) Path to the EML-formatted email message file. If omitted, the email is read from standard input.
 
 #### Options
 
--   `--private-key /path/to/private.key`, `-k /path/to/private.key`: Path to the private key used for signing.
--   `--domain example.com`, `-d example.com`: Domain name for the DKIM signature (`d=` tag).
--   `--selector selector`, `-s selector`: Selector for the DKIM key (`s=` tag).
--   `--algo algorithm`, `-a algorithm`: Signing algorithm (e.g., `rsa-sha256`). Defaults based on the private key type.
--   `--canonicalization method`, `-c method`: Canonicalization method (e.g., `relaxed/relaxed`). Defaults to `relaxed/relaxed`.
--   `--time timestamp`, `-t timestamp`: Signing time as a Unix timestamp (`t=` tag).
--   `--header-fields "field1:field2"`, `-h "field1:field2"`: Colon-separated list of header fields to include in the signature (`h=` tag).
--   `--body-length length`, `-l length`: Maximum length of the body to include in the signature (`l=` tag).
--   `--headers-only`, `-o`: Outputs only the DKIM signature headers without the entire message.
+- `--private-key /path/to/private.key`, `-k /path/to/private.key`: Path to the private key used for signing.
+- `--domain example.com`, `-d example.com`: Domain name for the DKIM signature (`d=` tag).
+- `--selector selector`, `-s selector`: Selector for the DKIM key (`s=` tag).
+- `--algo algorithm`, `-a algorithm`: Signing algorithm (e.g., `rsa-sha256`). Defaults based on the private key type.
+- `--canonicalization method`, `-c method`: Canonicalization method (e.g., `relaxed/relaxed`). Defaults to `relaxed/relaxed`.
+- `--time timestamp`, `-t timestamp`: Signing time as a Unix timestamp (`t=` tag).
+- `--header-fields "field1:field2"`, `-h "field1:field2"`: Colon-separated list of header fields to include in the signature (`h=` tag).
+- `--body-length length`, `-l length`: Maximum length of the body to include in the signature (`l=` tag).
+- `--headers-only`, `-o`: Outputs only the DKIM signature headers without the entire message.
 
 #### Example
 
@@ -161,28 +160,28 @@ The `seal` command adds an ARC (Authenticated Received Chain) seal to an email m
 mailauth seal [options] [email]
 ```
 
--   **email**: (Optional) Path to the EML-formatted email message file. If omitted, the email is read from standard input.
+- **email**: (Optional) Path to the EML-formatted email message file. If omitted, the email is read from standard input.
 
 #### Options
 
 **Sealing Options:**
 
--   `--private-key /path/to/private.key`, `-k /path/to/private.key`: Path to the private key used for sealing.
--   `--domain example.com`, `-d example.com`: Domain name for the ARC seal (`d=` tag).
--   `--selector selector`, `-s selector`: Selector for the ARC key (`s=` tag).
--   `--algo algorithm`, `-a algorithm`: Sealing algorithm (e.g., `rsa-sha256`). Defaults based on the private key type.
--   `--time timestamp`, `-t timestamp`: Sealing time as a Unix timestamp (`t=` tag).
--   `--header-fields "field1:field2"`, `-h "field1:field2"`: Colon-separated list of header fields to include in the seal (`h=` tag).
--   `--headers-only`, `-o`: Outputs only the ARC seal headers without the entire message.
+- `--private-key /path/to/private.key`, `-k /path/to/private.key`: Path to the private key used for sealing.
+- `--domain example.com`, `-d example.com`: Domain name for the ARC seal (`d=` tag).
+- `--selector selector`, `-s selector`: Selector for the ARC key (`s=` tag).
+- `--algo algorithm`, `-a algorithm`: Sealing algorithm (e.g., `rsa-sha256`). Defaults based on the private key type.
+- `--time timestamp`, `-t timestamp`: Sealing time as a Unix timestamp (`t=` tag).
+- `--header-fields "field1:field2"`, `-h "field1:field2"`: Colon-separated list of header fields to include in the seal (`h=` tag).
+- `--headers-only`, `-o`: Outputs only the ARC seal headers without the entire message.
 
 **Authentication Options (from `report` command):**
 
--   `--client-ip x.x.x.x`, `-i x.x.x.x`: IP address of the remote client that sent the email.
--   `--sender user@example.com`, `-f user@example.com`: Email address from the MAIL FROM command.
--   `--helo hostname`, `-e hostname`: Hostname from the HELO/EHLO command.
--   `--mta hostname`, `-m hostname`: Hostname of the server performing validations.
--   `--dns-cache /path/to/dns.json`, `-n /path/to/dns.json`: Path to a DNS cache file.
--   `--verbose`, `-v`: Enables verbose output.
+- `--client-ip x.x.x.x`, `-i x.x.x.x`: IP address of the remote client that sent the email.
+- `--sender user@example.com`, `-f user@example.com`: Email address from the MAIL FROM command.
+- `--helo hostname`, `-e hostname`: Hostname from the HELO/EHLO command.
+- `--mta hostname`, `-m hostname`: Hostname of the server performing validations.
+- `--dns-cache /path/to/dns.json`, `-n /path/to/dns.json`: Path to a DNS cache file.
+- `--verbose`, `-v`: Enables verbose output.
 
 **Note:** The canonicalization method (`c=` tag) for ARC sealing is always `relaxed/relaxed` and cannot be changed.
 
@@ -219,15 +218,15 @@ mailauth spf [options]
 
 #### Options
 
--   `--sender user@example.com`, `-f user@example.com`: Email address from the MAIL FROM command. **Required.**
--   `--client-ip x.x.x.x`, `-i x.x.x.x`: IP address of the remote client that sent the email. **Required.**
--   `--helo hostname`, `-e hostname`: Hostname from the HELO/EHLO command.
--   `--mta hostname`, `-m hostname`: Hostname of the server performing the SPF check.
--   `--dns-cache /path/to/dns.json`, `-n /path/to/dns.json`: Path to a DNS cache file.
--   `--verbose`, `-v`: Enables verbose output.
--   `--headers-only`, `-o`: Outputs only the SPF authentication header.
--   `--max-lookups number`, `-x number`: Sets the maximum number of DNS lookups. Defaults to `10`.
--   `--max-void-lookups number`, `-z number`: Sets the maximum number of void DNS lookups. Defaults to `2`.
+- `--sender user@example.com`, `-f user@example.com`: Email address from the MAIL FROM command. **Required.**
+- `--client-ip x.x.x.x`, `-i x.x.x.x`: IP address of the remote client that sent the email. **Required.**
+- `--helo hostname`, `-e hostname`: Hostname from the HELO/EHLO command.
+- `--mta hostname`, `-m hostname`: Hostname of the server performing the SPF check.
+- `--dns-cache /path/to/dns.json`, `-n /path/to/dns.json`: Path to a DNS cache file.
+- `--verbose`, `-v`: Enables verbose output.
+- `--headers-only`, `-o`: Outputs only the SPF authentication header.
+- `--max-lookups number`, `-x number`: Sets the maximum number of DNS lookups. Defaults to `10`.
+- `--max-void-lookups number`, `-z number`: Sets the maximum number of void DNS lookups. Defaults to `2`.
 
 #### Example
 
@@ -263,9 +262,9 @@ mailauth vmc [options]
 
 #### Options
 
--   `--authority <url>`, `-a <url>`: URL of the VMC resource.
--   `--authorityPath <path>`, `-p <path>`: Path to a local VMC file, used to avoid network requests.
--   `--domain <domain>`, `-d <domain>`: Sender domain to validate against the certificate.
+- `--authority <url>`, `-a <url>`: URL of the VMC resource.
+- `--authorityPath <path>`, `-p <path>`: Path to a local VMC file, used to avoid network requests.
+- `--domain <domain>`, `-d <domain>`: Sender domain to validate against the certificate.
 
 #### Example
 
@@ -332,14 +331,14 @@ The `bodyhash` command computes the body hash value of an email message, which i
 mailauth bodyhash [options] [email]
 ```
 
--   **email**: (Optional) Path to the EML-formatted email message file. If omitted, the email is read from standard input.
+- **email**: (Optional) Path to the EML-formatted email message file. If omitted, the email is read from standard input.
 
 #### Options
 
--   `--algo algorithm`, `-a algorithm`: Hashing algorithm (e.g., `sha256`). Defaults to `sha256`. Can also specify DKIM-style algorithms (e.g., `rsa-sha256`).
--   `--canonicalization method`, `-c method`: Body canonicalization method (e.g., `relaxed`). Defaults to `relaxed`. Can use DKIM-style (e.g., `relaxed/relaxed`).
--   `--body-length length`, `-l length`: Maximum length of the body to hash (`l=` tag).
--   `--verbose`, `-v`: Enables verbose output.
+- `--algo algorithm`, `-a algorithm`: Hashing algorithm (e.g., `sha256`). Defaults to `sha256`. Can also specify DKIM-style algorithms (e.g., `rsa-sha256`).
+- `--canonicalization method`, `-c method`: Body canonicalization method (e.g., `relaxed`). Defaults to `relaxed`. Can use DKIM-style (e.g., `relaxed/relaxed`).
+- `--body-length length`, `-l length`: Maximum length of the body to hash (`l=` tag).
+- `--verbose`, `-v`: Enables verbose output.
 
 #### Example
 
@@ -390,8 +389,8 @@ The `--dns-cache` option allows you to use a JSON-formatted DNS cache file for t
 
 The DNS cache file is a JSON object where:
 
--   **Keys**: Fully qualified domain names (e.g., `"example.com"`).
--   **Values**: Objects with DNS record types as keys (e.g., `"TXT"`, `"MX"`) and their corresponding values.
+- **Keys**: Fully qualified domain names (e.g., `"example.com"`).
+- **Values**: Objects with DNS record types as keys (e.g., `"TXT"`, `"MX"`) and their corresponding values.
 
 **Example:**
 

package/eslint.config.js

@@ -0,0 +1,40 @@
+const prettierConfig = require('eslint-config-prettier');
+
+module.exports = [
+    {
+        ignores: ['node_modules/**', 'ee-dist/**', 'test/fixtures/**', 'examples/devel-*']
+    },
+    prettierConfig,
+    {
+        languageOptions: {
+            ecmaVersion: 2020,
+            sourceType: 'commonjs',
+            globals: {
+                BigInt: true,
+                console: 'readonly',
+                process: 'readonly',
+                Buffer: 'readonly',
+                __dirname: 'readonly',
+                __filename: 'readonly',
+                exports: 'writable',
+                module: 'writable',
+                require: 'readonly',
+                setTimeout: 'readonly',
+                setInterval: 'readonly',
+                clearTimeout: 'readonly',
+                clearInterval: 'readonly',
+                setImmediate: 'readonly',
+                clearImmediate: 'readonly'
+            }
+        },
+        rules: {
+            'no-await-in-loop': 0,
+            'require-atomic-updates': 0,
+            'no-unused-vars': ['error', { 
+                argsIgnorePattern: '^_',
+                caughtErrors: 'none'
+            }],
+            'no-console': 0
+        }
+    }
+];

package/lib/spf/index.js

@@ -19,7 +19,85 @@ const formatHeaders = result => {
     return libmime.foldLines(header, 160);
 };
 
-// DNS resolver method
+/**
+ * Dual-stack DNS resolver for SPF A/AAAA mechanism queries
+ *
+ * When evaluating A or AAAA mechanisms, both record types should be considered
+ * to determine if a lookup is "void" (empty). This prevents incorrectly counting
+ * IPv4-only or IPv6-only hosts as void lookups.
+ *
+ * Behavior:
+ * - Queries both A and AAAA records in parallel (optimization)
+ * - Only counts as void if BOTH A and AAAA return ENOTFOUND/ENODATA
+ * - Real errors (ETIMEOUT, EREFUSED) for the client's IP type are propagated
+ * - Returns only the records matching the client's IP type (IPv4 → A, IPv6 → AAAA)
+ *
+ * Example: IPv6 client checking an IPv4-only host
+ *   - A query returns: 192.0.2.1
+ *   - AAAA query returns: ENODATA (empty)
+ *   - Result: Returns empty AAAA array (no match), but does NOT count as void
+ *
+ * @param {Function} resolver - Base DNS resolver function
+ * @param {String} domain - Domain to query
+ * @param {Object} opts - Options object with clientIpType (4 or 6)
+ * @returns {Promise<Array>} - Array of IP addresses matching client type
+ * @throws {Error} - Throws on real DNS errors or when both A and AAAA are void
+ */
+let dualStackResolver = async (resolver, domain, opts) => {
+    const isIPv6 = opts.clientIpType === 6;
+
+    // Query both A and AAAA records in parallel for efficiency
+    const [aResult, aaaaResult] = await Promise.allSettled([resolver(domain, 'A'), resolver(domain, 'AAAA')]);
+
+    // Extract successful records and error details
+    const aRecords = aResult.status === 'fulfilled' ? aResult.value : [];
+    const aError = aResult.status === 'rejected' ? aResult.reason : null;
+
+    const aaaaRecords = aaaaResult.status === 'fulfilled' ? aaaaResult.value : [];
+    const aaaaError = aaaaResult.status === 'rejected' ? aaaaResult.reason : null;
+
+    // Classify errors: void (no records exist) vs real (DNS server error)
+    // Void errors: ENOTFOUND (no such domain), ENODATA (domain exists but no records)
+    const aIsVoid = aError && (aError.code === 'ENOTFOUND' || aError.code === 'ENODATA');
+    const aaaaIsVoid = aaaaError && (aaaaError.code === 'ENOTFOUND' || aaaaError.code === 'ENODATA');
+
+    // Propagate real DNS errors for the record type matching the client's IP family
+    // IPv6 client: throw AAAA errors (except void), ignore A errors
+    if (isIPv6 && aaaaError && !aaaaIsVoid) {
+        throw aaaaError;
+    }
+    // IPv4 client: throw A errors (except void), ignore AAAA errors
+    if (!isIPv6 && aError && !aIsVoid) {
+        throw aError;
+    }
+
+    // Only throw void error if BOTH record types are void
+    // This prevents single-stack hosts from being counted as void lookups
+    if (aIsVoid && aaaaIsVoid) {
+        // Prefer the error matching client IP type for better error messages
+        let voidError = isIPv6 ? aaaaError || aError : aError || aaaaError;
+        throw voidError;
+    }
+
+    // Return only the records matching the client's IP type
+    // Empty arrays are valid (host exists but doesn't match client IP type)
+    return isIPv6 ? aaaaRecords : aRecords;
+};
+
+/**
+ * Creates a rate-limited DNS resolver with SPF-specific constraints
+ *
+ * SPF evaluation must enforce limits to prevent DoS:
+ * - Maximum 10 DNS lookups per SPF check (mechanisms that trigger DNS: a, mx, ptr, exists, include, redirect)
+ * - Maximum 2 "void" lookups (queries returning no records)
+ * Mailauth allows to configure both if different limits are required.
+ *
+ * @param {Function} resolver - Base DNS resolver function (e.g., dns.promises.resolve)
+ * @param {Number} maxResolveCount - Maximum DNS lookups allowed (default: 10)
+ * @param {Number} maxVoidCount - Maximum void lookups allowed (default: 2)
+ * @param {Boolean} ignoreFirst - If true, don't count the first DNS lookup (used for initial TXT record fetch)
+ * @returns {Function} - Rate-limited resolver function with signature: (domain, type, opts) => Promise<Array>
+ */
 let limitedResolver = (resolver, maxResolveCount, maxVoidCount, ignoreFirst) => {
     let resolveCount = 0;
     let voidCount = 0;
@@ -30,15 +108,16 @@ let limitedResolver = (resolver, maxResolveCount, maxVoidCount, ignoreFirst) =>
     maxResolveCount = maxResolveCount || MAX_RESOLVE_COUNT;
     maxVoidCount = maxVoidCount || MAX_VOID_COUNT;
 
-    let resolverFunc = async (domain, type) => {
-        // do not allow to make more that MAX_RESOLVE_COUNT DNS requests per SPF check
-
+    let resolverFunc = async (domain, type, opts) => {
+        // Increment DNS lookup counter
+        // Note: Dual-stack queries (A+AAAA) still count as 1 lookup
         if (firstCounted) {
             resolveCount++;
         } else {
             firstCounted = true;
         }
 
+        // Enforce maximum DNS lookup limit
         if (resolveCount > maxResolveCount) {
             let error = new Error('Too many DNS requests');
             error.spfResult = {
@@ -48,8 +127,9 @@ let limitedResolver = (resolver, maxResolveCount, maxVoidCount, ignoreFirst) =>
             throw error;
         }
 
+        // Validate domain name format before querying
+        // This is a lenient check to pass test suites and prevent obvious invalid queries
         try {
-            // domain check is pretty lax, mostly to pass the test suite
             if (!/^([\x20-\x2D\x2f-\x7e]+\.)+[a-z]+[a-z\-0-9]*$/i.test(domain)) {
                 throw new Error('Failed to validate domain');
             }
@@ -61,13 +141,24 @@ let limitedResolver = (resolver, maxResolveCount, maxVoidCount, ignoreFirst) =>
             throw err;
         }
 
+        // Execute DNS query with dual-stack optimization for A/AAAA queries
         try {
-            let result = await resolver(domain, type);
-            return result;
+            // Use dual-stack resolver when:
+            // 1. Query type is A or AAAA (address lookups)
+            // 2. Client IP type is provided (4 for IPv4, 6 for IPv6)
+            // This prevents single-stack hosts from being counted as void lookups
+            if (opts?.clientIpType && (type === 'A' || type === 'AAAA')) {
+                return await dualStackResolver(resolver, domain, opts);
+            } else {
+                // Standard single-query resolution for other record types (TXT, MX, PTR, etc.) and A if no client info provided.
+                return await resolver(domain, type);
+            }
         } catch (err) {
             switch (err.code) {
-                case 'ENOTFOUND':
+                case 'ENOTFOUND': // Domain does not exist
                 case 'ENODATA': {
+                    // Domain exists but has no records of this type
+                    // Increment void lookup counter
                     voidCount++;
                     if (voidCount > maxVoidCount) {
                         err.spfResult = {
@@ -76,10 +167,12 @@ let limitedResolver = (resolver, maxResolveCount, maxVoidCount, ignoreFirst) =>
                         };
                         throw err;
                     }
+                    // Return empty array to continue SPF evaluation
                     return [];
                 }
 
                 case 'ETIMEOUT':
+                    // DNS server timeout - temporary error
                     err.spfResult = {
                         error: 'temperror',
                         text: 'DNS timeout'
@@ -87,6 +180,7 @@ let limitedResolver = (resolver, maxResolveCount, maxVoidCount, ignoreFirst) =>
                     throw err;
 
                 case 'EREFUSED':
+                    // DNS server refused query - temporary error
                     err.spfResult = {
                         error: 'temperror',
                         text: `DNS request refused by server when resolving ${domain}`
@@ -94,6 +188,7 @@ let limitedResolver = (resolver, maxResolveCount, maxVoidCount, ignoreFirst) =>
                     throw err;
 
                 default:
+                    // Unknown error - propagate as-is
                     throw err;
             }
         }

package/lib/spf/spf-verify.js

@@ -336,7 +336,9 @@ const spfVerify = async (domain, opts) => {
                             // ignore punycode conversion errors
                         }
 
-                        let responses = await resolver(a, net.isIPv6(opts.ip) ? 'AAAA' : 'A');
+                        // Query A or AAAA based on client IP type, with dual-stack void optimization
+                        // Pass clientIpType to enable smart void counting (see dualStackResolver in index.js)
+                        let responses = await resolver(a, net.isIPv6(opts.ip) ? 'AAAA' : 'A', { clientIpType: net.isIPv6(opts.ip) ? 6 : 4 });
                         if (responses) {
                             for (let ip of responses) {
                                 if (matchIp(addr, ip + cidr)) {
@@ -352,6 +354,8 @@ const spfVerify = async (domain, opts) => {
                         let { domain: mxDomain, cidr4, cidr6 } = parseCidrValue(val, domain, type);
                         let cidr = net.isIPv6(opts.ip) ? cidr6 : cidr4;
 
+                        mxDomain = macro(mxDomain, opts);
+
                         try {
                             mxDomain = punycode.toASCII(mxDomain);
                         } catch (err) {
@@ -360,13 +364,18 @@ const spfVerify = async (domain, opts) => {
 
                         let mxList = await resolver(mxDomain, 'MX');
                         if (mxList) {
-                            // MX resolver has separate counter
+                            // MX mechanism uses a separate resolver with independent DNS lookup counter
+                            // This prevents MX A/AAAA lookups from consuming the main query limit
                             let subResolver = typeof opts.createSubResolver === 'function' ? opts.createSubResolver() : resolver;
                             try {
                                 mxList = mxList.sort((a, b) => a.priority - b.priority);
                                 for (let mx of mxList) {
                                     if (mx.exchange) {
-                                        let responses = await subResolver(mx.exchange, net.isIPv6(opts.ip) ? 'AAAA' : 'A');
+                                        // Query A or AAAA for each MX host, with dual-stack void optimization
+                                        // Pass clientIpType to enable smart void counting (see dualStackResolver in index.js)
+                                        let responses = await subResolver(mx.exchange, net.isIPv6(opts.ip) ? 'AAAA' : 'A', {
+                                            clientIpType: net.isIPv6(opts.ip) ? 6 : 4
+                                        });
                                         if (responses) {
                                             for (let a of responses) {
                                                 if (matchIp(addr, a + cidr)) {

package/package.json

@@ -1,10 +1,11 @@
 {
     "name": "mailauth",
-    "version": "4.9.4",
+    "version": "4.10.0",
     "description": "Email authentication library for Node.js",
     "main": "lib/mailauth.js",
     "scripts": {
         "test": "eslint \"lib/**/*.js\" \"test/**/*.js\" && mocha --recursive \"./test/**/*.js\" --reporter spec",
+        "format": "prettier --write .",
         "build-source": "rm -rf node_modules package-lock.json && npm install && npm run licenses && rm -rf node_modules package-lock.json && npm install --production && rm -rf package-lock.json",
         "build-dist": "npx pkg --compress Brotli package.json && rm -rf package-lock.json && npm install && node winconf.js",
         "build-dist-fast": "pkg --debug package.json && npm install && node winconf.js",
@@ -33,14 +34,15 @@
     "homepage": "https://github.com/postalsys/mailauth",
     "devDependencies": {
         "chai": "4.4.1",
-        "eslint": "8.56.0",
+        "eslint": "9.38.0",
         "eslint-config-nodemailer": "1.2.0",
-        "eslint-config-prettier": "9.1.0",
+        "eslint-config-prettier": "10.1.8",
         "js-yaml": "4.1.0",
-        "license-report": "6.8.0",
+        "license-report": "6.8.1",
         "mbox-reader": "1.2.0",
-        "mocha": "11.7.2",
-        "resedit": "^2.0.3"
+        "mocha": "11.7.4",
+        "prettier": "^3.6.2",
+        "resedit": "^3.0.0"
     },
     "dependencies": {
         "@postalsys/vmc": "1.1.2",
@@ -48,10 +50,10 @@
         "ipaddr.js": "2.2.0",
         "joi": "18.0.1",
         "libmime": "5.3.7",
-        "nodemailer": "7.0.6",
+        "nodemailer": "7.0.10",
         "punycode.js": "2.3.1",
-        "tldts": "7.0.12",
-        "undici": "7.15.0",
+        "tldts": "7.0.17",
+        "undici": "7.16.0",
         "yargs": "17.7.2"
     },
     "engines": {

package/release-please-config.json

@@ -0,0 +1,9 @@
+{
+    "packages": {
+        ".": {
+            "release-type": "node",
+            "package-name": "mailauth",
+            "pull-request-title-pattern": "chore${scope}: release ${version} [skip-ci]"
+        }
+    }
+}