From 8769514f1c65f3c85bdfd934dea67270349677e2 Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Tue, 28 Oct 2025 11:05:33 +0700
Subject: [PATCH] Don't deduce point on weak SPF all qualifier, when DMARC is
 configured

---
 pkg/analyzer/dns_spf.go                         | 16 ++++++++++++++--
 web/src/lib/components/DnsRecordsCard.svelte    |  2 +-
 web/src/lib/components/SpfRecordsDisplay.svelte | 17 ++++++++++++++---
 3 files changed, 29 insertions(+), 6 deletions(-)

diff --git a/pkg/analyzer/dns_spf.go b/pkg/analyzer/dns_spf.go
index bc7a1be..4d8401a 100644
--- a/pkg/analyzer/dns_spf.go
+++ b/pkg/analyzer/dns_spf.go
@@ -242,6 +242,12 @@ func (d *DNSAnalyzer) calculateSPFScore(results *api.DNSResults) (score int) {
 			// Full points for valid SPF
 			score += 75
 
+			// Check if DMARC is configured with strict policy as all mechanism is less significant
+			dmarcStrict := results.DmarcRecord != nil &&
+				results.DmarcRecord.Valid && results.DmarcRecord.Policy != nil &&
+				(*results.DmarcRecord.Policy == "quarantine" ||
+					*results.DmarcRecord.Policy == "reject")
+
 			// Deduct points based on the all mechanism qualifier
 			if mainSPF.AllQualifier != nil {
 				switch *mainSPF.AllQualifier {
@@ -249,10 +255,16 @@ func (d *DNSAnalyzer) calculateSPFScore(results *api.DNSResults) (score int) {
 					// Strict fail - no deduction, this is the recommended policy
 					score += 25
 				case "~":
-					// Softfail - moderate penalty
+					// Softfail - if DMARC is quarantine or reject, treat it mostly like strict fail
+					if dmarcStrict {
+						score += 20
+					}
+					// Otherwise, moderate penalty (no points added or deducted)
 				case "+", "?":
 					// Pass/neutral - severe penalty
-					score -= 25
+					if !dmarcStrict {
+						score -= 25
+					}
 				}
 			} else {
 				// No 'all' mechanism qualifier extracted - severe penalty
diff --git a/web/src/lib/components/DnsRecordsCard.svelte b/web/src/lib/components/DnsRecordsCard.svelte
index a871096..2b3c99c 100644
--- a/web/src/lib/components/DnsRecordsCard.svelte
+++ b/web/src/lib/components/DnsRecordsCard.svelte
@@ -111,7 +111,7 @@
             {/if}
 
             <!-- SPF Records (for Return-Path Domain) -->
-            <SpfRecordsDisplay spfRecords={dnsResults.spf_records} />
+            <SpfRecordsDisplay spfRecords={dnsResults.spf_records} dmarcRecord={dnsResults.dmarc_record} />
 
             <hr class="my-4">
 
diff --git a/web/src/lib/components/SpfRecordsDisplay.svelte b/web/src/lib/components/SpfRecordsDisplay.svelte
index 34aea8e..f9dd738 100644
--- a/web/src/lib/components/SpfRecordsDisplay.svelte
+++ b/web/src/lib/components/SpfRecordsDisplay.svelte
@@ -1,18 +1,27 @@
 <script lang="ts">
-    import type { SpfRecord } from "$lib/api/types.gen";
+    import type { DmarcRecord, SpfRecord } from "$lib/api/types.gen";
 
     interface Props {
         spfRecords?: SpfRecord[];
+        dmarcRecord?: DmarcRecord;
     }
 
-    let { spfRecords }: Props = $props();
+    let { spfRecords, dmarcRecord }: Props = $props();
+
+    // Check if DMARC has strict policy (quarantine or reject)
+    const dmarcStrict = $derived(
+        dmarcRecord?.valid &&
+        dmarcRecord?.policy &&
+        (dmarcRecord.policy === "quarantine" || dmarcRecord.policy === "reject")
+    );
 
     // Compute overall validity
     const spfIsValid = $derived(spfRecords?.reduce((acc, r) => acc && r.valid, true) ?? false);
     const spfCanBeImprove = $derived(
         spfRecords &&
             spfRecords.length > 0 &&
-            spfRecords.filter((r) => !r.record?.includes(" redirect="))[0]?.all_qualifier != "-",
+            spfRecords.filter((r) => !r.record?.includes(" redirect="))[0]?.all_qualifier != "-" &&
+            !dmarcStrict,
     );
 </script>
 
@@ -71,6 +80,8 @@
                                 <div class="alert small mt-2" class:alert-warning={spf.all_qualifier !== '-'} class:alert-success={spf.all_qualifier === '-'}>
                                     {#if spf.all_qualifier === '-'}
                                         All unauthorized servers will be rejected. This is the recommended strict policy.
+                                    {:else if dmarcStrict}
+                                        While your DMARC {dmarcRecord?.policy} policy provides some protection, consider using <code>-all</code> for better security with some old mailbox providers.
                                     {:else if spf.all_qualifier === '~'}
                                         Unauthorized servers will softfail. Consider using <code>-all</code> for stricter policy, though this rarely affects legitimate email deliverability.
                                     {:else if spf.all_qualifier === '+'}