pepipost / bimi-official Goto Github PK

It has been mentioned that the BIMI Inspector tool on the bimigroup.org website (https://bimigroup.org/bimi-generator/) may be flagging condition that shouldn’t be flagged.

Sample domain - response.talktalkbusiness.co.uk

Results include the following text:

VMC Certificate File Issues You Need To Fix

Warning: The X.509 certificate provided is not valid for the purposes of client auth, server auth

The language about the cert not being valid for client auth, server auth was confusing.

It was also noted that this domain had some SVG image issues which were noted by the BIMI Inspector, but no one knew whether or not the SVG image issues triggered the report of VMC issues.

        else:
            dmarcRecord['status'] = dmarc['valid']
            searchpct = re.search(regex_pct, dmarc['record'])
            if dmarc['record'].find('p=quarantine')==-1 and dmarc['record'].find('p=reject')==-1:
                dmarcRecord['status'] = False
                dmarcRecord['errors'] = ["dmarc policy should be set to p=quarantine or p=reject for BIMI to work"]
            if searchpct and int(searchpct.group(0).split("=")[1]) != 100:
                dmarcRecord['status'] = False
            dmarcRecord['record'] = dmarc['record']

This section in CheckRecords is subtly wrong, the DMARC record must be enforcing, which means either a p=quarantine with an effective pct=100, or p=reject with any pct= value.

Additionally, I believe there is both a bug and an omission here

if dmarc['record'].find('p=quarantine')==-1 and dmarc['record'].find('p=reject')==-1:

We are not checking subdomain policy as required by the spec, and the find method call will match on those policies, such that a sp=reject policy will be matched by the .find('p=reject') search.

We also assume that records are properly formatted as lowercase, there are some in the wild which are not.

For example, "v=DMARC1; P=none; sp=reject;"

Personally, I dislike using regex to parse records with structure, matches can happen in unexpected places.

I don't see any code to check DMARC at the org domain level, do we do that?

        regex_cert = r"v=BIMI1;(?=.*(l=((.*):\/\/(.*.svg|.*.SVG)))\b)(?=.*(a=((.*):\/\/(.*.pem|.*.PEM)))\b).*(;$| |$)"
        regex_without_cert = r"v=BIMI1;(|\s+)l=((.*):\/\/(.*.svg|.*.SVG))(;| |).*"

.pem is not a required extension, I have also seen these extensions capitalized as Svg in the wild, which would fail the regex.

The tld extract module supports lookups against the PSL, however this isn't enabled by default.
Using the PSL is (I believe) the primary method MBPs use to determine organizational domains, so using this would more closely align with how MBPs behave.