T13nn3s
commented
2 years ago The p= tag is active for the top-level domain and also for the subdomains unless the sp= tag is specified. The sp= tag is active only for the subdomains. I agree that the top level, the p= tag can on reject, and that the script gives a secure DMARC-record output, while the policy for the subdomain may be configured to none, which is insecure. I will write an update on the script to validate the sp= tag separately from the =p tag.
I've actually been writing a similar project elsewhere and a friend linked me to yours.
On Line 53 you are doing a regex switch for p=reject. Unfortunately, sp=reject is also a valid tag so your switch can potentially trigger even if DMARC is not set to reject. Just thought I'd let you know.