This is a Python library for the generation of email authentication headers.
The library can perform DKIM, SPF, and DMARC validation, and the results are packaged into the Authentication-Results header.
authenticate_message(message, "example.com", ip='192.168.50.81', mail_from="test.com", helo="domain.of.sender.net")
Authentication-Results: example.com; spf=none smtp.helo=domain.of.sender.net smtp.mailfrom=test.com;
dkim=pass header.d=valimail.com; dmarc=pass header.from=valimail.com
The library can DKIM and ARC sign messages and output the corresponding signature headers.
sign_message(msg, b"dummy", b"example.org", privkey, b"from:to:date:subject:mime-version:arc-authentication-results".split(b':'), sig='ARC', auth_res=auth_res, timestamp="12345")
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=example.org; s=dummy; t=12345;
b=FWOEyeRJ8YiqKt9x9GaZF62z/iy9i2606XLlnLC+Mfzf+8M92eWPPb50Pa+9d1iMwVRVeE
8Rsdh6a7t+on2vLqBzFCuhA48AyQBVOMf4YgYKIxYbVHa5TD7GUOGSNCse8PGblJTcogmTL7
FhApk4DJZQkuE4EWrMRMpzfxG24l4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=example.org; s=dummy; t=12345;
h=from : to : date : subject : mime-version : arc-authentication-results;
bh=KWSe46TZKCcDbH4klJPo+tjk5LWJnVRlP5pvjXFZYLQ=;
b=LNev0+5hTRq5x+38IWMxbyZBXxZS6Ddacbul1XE7lEBKDXxh9MUvdGvCqdDoSSlUmJyx/s
PLfucMfmftarx1xVIRPJeUrtuOZuUdQMPVpQcfQJ9pUfE1TG1KS4E2suCz3TF7uxu5OjaP21
mjquuQP5lQe2fsnwBjBgVFcsSAwPw=
ARC-Authentication-Results: i=1; lists.example.org; spf=pass [email protected];
dkim=pass (1024-bit key) [email protected]; dmarc=pass
DMARC uses the public suffix list (https://publicsuffix.org) to determine organizational boundaries. An embedded copy of the list is included in the package.
The PSL does not change rapidly. A setup.py extension is provided to download the current revision. This should be run prior to new package releases and may also be run prior to local package installation (if installing via setuptools from a local copy of the package):
$ python3 setup.py pslupdate
$ python3 setup.py install
Some operating systems offer a system copy of the PSL. When available, it should be used, since they are generally kept updated. As an example, in Debian GNU/Linux, prior to installation of this package, one would install the publicsuffix package and then update this package's configuration to use it instead:
$ sudo apt install publicsuffix
$ python3 setup.py psllocal --path='/usr/share/publicsuffix/public_suffix_list.dat'
$ python3 setup.py install
As of version 0.12, an optional policy flag (default is False) is provided for authenticate_message. If set, DMARC policy recommendations are included instead of the default raw DMARC result. Results are based on domain (or org domain) policy as modified by subdomain ('sp') policy or non-existent domain ('np') policy. The new 'np' tag is defined in RFC 9091.
As of version 0.15, a script to lookup DMARC policy for a domain is included.
By default, it uses RFC 7489's policy or organizational domain approach. It can also use the extended/updated RFC 9091 (PSD DMARC) and DMARCbis designs instead.
As of version 0.11, support for the experimental PSD DMARC extension is provided (See https://datatracker.ietf.org/doc/rfc9091/ for details). It is not enabled by default.
There are currently two operational sources of PSD DMARC participants (both at psddmarc.org). One is an IANA like registry which can be downloaded at package build time and used locally. It works in a manner similar to the PSL update option above:
$ python3 setup.py psddmarc
$ python3 setup.py install
If the registry file is not present, the alternative DNS lookup mechansin is used.
Both approaches are described at psddmarc.org.
As of version 0.15, support for the work in progress DMARCbis organizational domain and policy discovery methods is included (up to DMARCbis-29) is provided (See https://datatracker.ietf.org/doc/draft-ietf-dmarc-dmarcbis/ for details). It is not enbabled by default. It uses neither the PSL nor the PSD regsitry. It is enabled by the dmarcbis flag for authenticate_message (default is False).