octodns.zone.mail

Classes

`MailZoneValidator`(id[, mode, sets])	Comprehensive best-practice validator for mail records (MX, SPF, DMARC).
`MxTargetNotCnameZoneValidator`(id[, sets])	Checks that MX records do not point to exchanges that are CNAMEs within the same zone.
`MxTargetResolvableInZoneZoneValidator`(id[, sets])	Checks that `MX` exchanges pointing to targets within the same zone have corresponding address records.

class octodns.zone.mail.MailZoneValidator(id, mode='auto', sets=None)[source]

Bases: ZoneValidator

Comprehensive best-practice validator for mail records (MX, SPF, DMARC).

Can operate in two modes: ‘mail’ and ‘no-mail’. In ‘auto’ mode (default), it detects the apex mode based on the presence of an apex MX record or an apex SPF record. If neither is present, it is a no-op for the apex (a lone DMARC record is not treated as a mail-mode signal). Mode is determined MX-first: if an apex MX record exists, Null MX (0 .) means ‘no-mail’, any other MX means ‘mail’. If there is no apex MX, strict SPF ‘v=spf1 -all’ at the apex means ‘no-mail’; any other SPF means ‘mail’. DMARC policy (p=) is never used for mode detection because p=reject is the recommended best practice for domains that DO send mail (RFC 7489) and therefore cannot discriminate between mail and no-mail zones.

Every non-apex sub-domain that has MX records is also validated (redundancy + SPF). In ‘auto’ mode each sub-domain’s mode is detected independently: null MX → ‘no-mail’, otherwise → ‘mail’. In explicit ‘mail’ or ‘no-mail’ mode, the configured mode propagates to sub-domains.

‘mail’ mode enforces:

Multiple MX records for redundancy (at apex and throughout the zone).
Presence of an SPF record at the apex.
SPF record terminates with ~all or -all.
Presence of a DMARC record at _dmarc.
Each sub-domain with MX has an SPF record terminating with ~all or -all.

‘no-mail’ mode enforces:

Presence of a single Null MX record (0 .) at the apex.
SPF record at the apex is exactly ‘v=spf1 -all’.
DMARC record at _dmarc has p=reject.
Each sub-domain with MX has a single Null MX (0 .) and strict SPF ‘v=spf1 -all’.

DMARC is not required at the sub-domain level because it inherits from the parent zone per RFC 7489 §6.6.3.

__init__(id, mode='auto', sets=None)[source]

Parameters:

id – Non-empty identifier for this validator instance.
sets – Iterable of set names, or None to always activate.

_is_null_mx(mx_record)[source]

_extract_spf(txt_record, multi_msg)[source]

_parse_dmarc_tags(dmarc_value)[source]

_validate_mail(zone, apex_mx_record, apex_txt, apex_spf_value, dmarc_txt, dmarc_value)[source]

_validate_no_mail(zone, apex_mx_record, apex_txt, apex_spf_value, dmarc_txt, dmarc_value)[source]

_detect_subdomain_mode(mx_record)[source]

_validate_subdomain(zone, mx_record, mode)[source]

validate(zone)[source]

Validate a fully populated zone.

Parameters:: zone – The Zone to validate.
Returns:: list[ValidationReason] of reason objects; empty when valid.

class octodns.zone.mail.MxTargetNotCnameZoneValidator(id, sets=None)[source]

Bases: ZoneValidator

Checks that MX records do not point to exchanges that are CNAMEs within the same zone. Per RFC 2181 §10.3, the MX exchange must be an A/AAAA record, not a CNAME.

validate(zone)[source]

Validate a fully populated zone.

Parameters:: zone – The Zone to validate.
Returns:: list[ValidationReason] of reason objects; empty when valid.

class octodns.zone.mail.MxTargetResolvableInZoneZoneValidator(id, sets=None)[source]

Bases: ZoneValidator

Checks that MX exchanges pointing to targets within the same zone have corresponding address records.

validate(zone)[source]

Validate a fully populated zone.

Parameters:: zone – The Zone to validate.
Returns:: list[ValidationReason] of reason objects; empty when valid.