5.17.1

What's Changed

• Accept uppercase SPF macro letters (e.g. %{S}), which are valid per RFC 7208 §7.3, by @gaoflow in #257

New Contributors

• @gaoflow made their first contribution in #257

Full Changelog: 5.17.0...5.17.1

5.17.0

What's Changed

• More verbose nxdomain message by @kazet in #256
• Add warning for deprecated Sender ID TXT records by @EmailKarma in #255

New Contributors

• @EmailKarma made their first contribution in #255

Full Changelog: 5.16.2...5.17.0

5.16.2

Changes

• BIMI: forbidden x/y attributes on the root <svg> element are now
  actually rejected. get_svg_metadata was reading the wrong xmltodict
  keys, so the existing rejection in check_svg_requirements never fired
  on real SVGs. The metadata also lost the y value to a typo that
  clobbered metadata["x"].
• DNSSEC: narrowed three broad except Exception clauses to specific
  exception types (dns.exception.DNSException, OSError, EOFError)
  so programming errors propagate instead of being silently swallowed.

5.16.1

Changes

• Simplify the warning emitted for pct/rf/ri to just "Support for
  the {tag} tag was removed in RFC 9989".

5.16.0

Changes

• Rename DMARCbis references to RFC 9989
• In compliance with RFC 9989, treat a DMARC p tag as p=none, instead of requiring it
  • Instead, a warning is raised that older versions of DMARC require it
• DMARC: the pct, rf, and ri tags are removed in RFC 9989. They are no
  longer implicitly added to parsed results, are no longer strictly validated
  (invalid values that previously raised now just warn), and explicit use
  emits a "removed in RFC 9989" warning. Pre-9989 readers may still honor
  them, so the value is left intact for those consumers.
• DMARC: unknown tags are now ignored with a warning instead of raising
  InvalidDMARCTag, per RFC 9989 ("Unknown tags MUST be ignored").
• DMARC: the order constraint that p must immediately follow v is now a
  warning rather than a hard syntax error. RFC 9989 permits any tag ordering
  after v; older RFC 7489 readers may still expect p second.
• DMARC: the !size suffix on rua/ruf URIs is now flagged as obsolete
  syntax (RFC 9989 says reporters MUST ignore it). The warning still fires
  because pre-9989 readers may still honor it.
• DMARC: the RFC 9989 tree walk now continues all the way to single-label
  parents (TLDs). PSD operators publish their policy at e.g. _dmarc.gov
  with psd=y, and the previous "don't query TLDs" short-circuit prevented
  PSD discovery (the main reason RFC 9989 added the tree walk).
• DMARC: during the tree walk, parent queries no longer trigger the
  apex-fallback "wrong-location" check. A stray v=DMARC1 at a parent
  domain's apex used to spuriously abort the walk with
  DMARCRecordInWrongLocation; that check is now only applied to the
  originally requested name.

5.15.5

Fixes

• BIMI: stop masking MultipleBIMIRecords, UnrelatedTXTRecordFoundAtBIMI,
  and BIMIRecordInWrongLocation behind BIMIRecordNotFound. The
  apex-fallback handler also had a missing raise, so a record placed at
  the apex (instead of the _bimi selector) was silently treated as
  "not found" (#246).
• BIMI: extend the grammar to accept the canonical lps= value
  format — a comma-separated list of local-part selectors per
  draft-bimi-14 § 4.3.14.
  The grammar previously only accepted values matching one of
  bimi1, an HTTPS URL, personal, or brand, so the canonical
  comma-separated form raised BIMISyntaxError. Also fix the parser
  to write the parsed selector list back to the tag value (#246).
• DMARC: stop masking DMARCRecordInWrongLocation behind
  DMARCRecordNotFound in _query_dmarc_record's apex-fallback path (#248).
• SMTP: the cache-write paths in test_tls and test_starttls used
  if cache:, which is falsy for an empty ExpiringDict. The first
  cache entry was silently dropped, so subsequent SMTP probes kept
  hitting the network (#244).
• SPF: parse_spf_record's redirect handler used except DNSException as error:, shadowing the function-level error accumulator. Python
  deletes the name on except-block exit, so the trailing if error:
  raised UnboundLocalError (#247).

Changes

• Test suite reorganized from a single tests.py into per-module
  files under tests/. Network-dependent tests are paired with
  fully-mocked counterparts; CI runs the mocked branch, local runs
  the real-network branch.
• Project test coverage raised from 67% to 96%; every module is now
  at ≥ 90%. Coverage and test results are uploaded to Codecov on
  each CI run.

5.15.4

Fixes

• Stop reporting jurisdictionOfIncorporationStateOrProvinceName /
  jurisdictionOfIncorporationLocalityName as required when both are absent.
  Per VMC Requirements §7.1.4.2.2(j), entities incorporated at the country
  level (e.g. bbc.co.uk) MUST include only jurisdictionCountryName —
  state/province and locality MUST NOT be present. The same correction
  applies to the parallel statute* fields for Government Marks
  (§7.1.4.2.2(s)). The locality-level form is still validated:
  jurisdictionOfIncorporationLocalityName (and statuteLocalityName)
  now imply that their state/province counterpart must also be present
  (#242).
• Deduplicate the bidirectional "either A or B" error so the
  localityName / stateOrProvinceName rule is reported once instead
  of twice when both fields are absent.

Changes

• Warn when a BIMI SVG <title> element is a generator/template
  placeholder (e.g. bimi-svg-tiny-12-ps, Untitled). The title should
  be a descriptive name for the brand or mark.
• Document that BIMI mark certificates are validated against the
  AuthIndicators Working Group's
  Minimum Security Requirements for Issuance of Mark Certificates.

5.15.3

Fixes

• Display a warning is a BIMI image is provided without a VMC/CMC

5.15.2

Changes

• Cap the per-query UDP timeout at min(1.0, timeout) for single-nameserver
  configurations as well as multi-nameserver ones. Previously, when only one
  nameserver was configured (or the system default list had a single entry),
  resolver.timeout and resolver.lifetime were both set to the full
  timeout budget, which collapses dnspython's UDP retry loop to a single
  attempt — a single dropped UDP datagram then consumed the whole lifetime
  and raised LifetimeTimeout, while dig (which defaults to +tries=3)
  would mask the same blip by retrying. dnspython now retries UDP within
  the lifetime window (~2 attempts at the default 2s budget), matching
  dig's behavior in spirit and eliminating spurious single-NS timeouts
  on paths with occasional packet loss.

5.15.1

Changes

• Revert the 5.15.0 default of auto-configuring public nameservers
  (1.1.1.1, 8.8.8.8) when no nameservers are passed. When nameservers
  is None, checkdmarc now falls back to the system-configured resolvers
  again (/etc/resolv.conf on Linux/macOS, the OS resolver on Windows),
  matching the 5.14.x and earlier behavior. The auto-configured default would
  surprise users running split-horizon or internal DNS and broke workflows
  that previously relied on the system resolver.
• Rename the exposed constant from DEFAULT_DNS_NAMESERVERS to
  RECOMMENDED_DNS_NAMESERVERS to reflect that it is an opt-in
  recommendation, not an automatic default. It is re-exported from the
  package root as checkdmarc.RECOMMENDED_DNS_NAMESERVERS so callers can
  easily opt in with
  check_domains(..., nameservers=RECOMMENDED_DNS_NAMESERVERS).
• Documentation now calls out mixing public resolvers from different
  providers as a best practice for public-internet checks.