Add more complete checks, primarily useful for parked domains: null MX, implicit A fallback, and DKIM overrides #152
Description
Summary
Add more complete checks, primarily useful for parked domains:
- Null MX
- Implicit A fallback
- DKIM overrides
patch: 0001-More-complete-checks-primarily-useful-for-parked-dom.patch
Null MX (RFC 7505)
Long-recommended for parked domains. Helps prevent security issues with implicit A record fallback.
RFC 7505 ("A 'Null MX' No Service Resource Record for Domains That Accept No Mail"): "To indicate that a domain does not accept email, it advertises a single MX RR with an RDATA section consisting of preference number 0 and a zero-length label, written in master files as '.', as the exchange domain, to denote that there exists no mail exchanger for a domain."
Implicit A fallback when no MX exists (RFC 5321)
RFC 5321("Simple Mail Transfer Protocol") sec 5.1: "If an empty list of MXs is returned, the address is treated as if it was associated with an implicit MX RR, with a preference of 0, pointing to that host."
Attempt SMTP tests to fall-back A record[s] of domains lacking MX records. It is common for parked or unmaintained domains to lack an MX record, yet have A records to web hosting, primarily for redirects. Test the A records for SMTP to aid in determination as candidate for setting null MX record. That is, if a domain has no MX record, but it has an A record, and that A record host does not respond to SMTP checks, it would be prudent to set a null MX record for the domain. If the A record does respond to SMTP, that should be investigated, because in the year 2025 that's rarely done intentionally. Helps highlight potential security issues with mail delivery to unauthorized hosts.
DKIM overrides
Best practices for parked email domains includes overriding DKIM selectors by publishing an empty public key to "*._domainkey.<domain>". Test by querying TXT "<25-character random string>._domainkey.<domain>" for value "v=DKIM1; p="