else:
dmarcRecord['status'] = dmarc['valid']
searchpct = re.search(regex_pct, dmarc['record'])
if dmarc['record'].find('p=quarantine')==-1 and dmarc['record'].find('p=reject')==-1:
dmarcRecord['status'] = False
dmarcRecord['errors'] = ["dmarc policy should be set to p=quarantine or p=reject for BIMI to work"]
if searchpct and int(searchpct.group(0).split("=")[1]) != 100:
dmarcRecord['status'] = False
dmarcRecord['record'] = dmarc['record']
This section in CheckRecords is subtly wrong, the DMARC record must be enforcing, which means either a p=quarantine with an effective pct=100, or p=reject with any pct= value.
Additionally, I believe there is both a bug and an omission here
if dmarc['record'].find('p=quarantine')==-1 and dmarc['record'].find('p=reject')==-1:
We are not checking subdomain policy as required by the spec, and the find method call will match on those policies, such that a sp=reject policy will be matched by the .find('p=reject') search.
We also assume that records are properly formatted as lowercase, there are some in the wild which are not.
For example, "v=DMARC1; P=none; sp=reject;"
Personally, I dislike using regex to parse records with structure, matches can happen in unexpected places.
I don't see any code to check DMARC at the org domain level, do we do that?