feat(DESIRED_STATE): ✨ Add custom baseline configuration and schema #1013
Conversation
- Introduced `DESIRED_STATE.MD` for custom baseline detection of non-conformance/drift. - Added JSON schema `domain-detective.desired-state.schema.json` for configuration validation. - Provided PowerShell usage example for desired state evaluation. - Defined configuration structure for `checks`, `assessmentPolicy`, and `overrides`.
* Added `DesiredStateAnalysis` class to store conformance results. * Introduced `DesiredStateCodes` for standardized error codes. * Created `DesiredStateConfiguration` for organization-specific baselines. * Developed `DesiredStateEvaluator` for evaluating domain health against desired states. * Implemented methods for assessing DMARC and SPF policies.
* Implemented `Convert` method to transform `DesiredStateAnalysis` into `DesiredStateInfo`. * Added properties for assessment counts and recommendations. * Enhanced data handling for mail classification and conformity status.
- Implements `Test-DDDesiredState` cmdlet to validate domains against a desired state baseline. - Loads JSON configuration and evaluates non-conformance for specified domains. - Supports DNS queries and optional mail classification.
* Implement tests for `ResolveProfile` to ensure classification overrides work correctly. * Add test for `Evaluate_DmarcRuaDomainSuffixMismatch` to validate error handling. * Include tests for assessment policy suppression and severity overrides. * Ensure `Evaluate_IncludesHealthAssessments_AndAppliesPolicy` correctly applies policies.
…dState aliases * Updated `AliasesToExport` and `CmdletsToExport` to include `Test-DesiredState` and `Test-DDDesiredState`. * Enhances the module's functionality by integrating desired state testing capabilities.
…lable codes * Modified the suppression logic to use null-forgiving operator `!` for better null handling. * Ensures that the code correctly processes cases where `code` may be null.
…TS, TLSRPT, and BIMI * Updated the `checks` array to include `DKIM`, `MTASTS`, `TLSRPT`, and `BIMI`. * Added detailed configuration schemas for `dkimPolicy`, `mtastsPolicy`, `tlsrptPolicy`, and `bimiPolicy`. * Enhanced the documentation to reflect the new checks and their requirements.
…I checks * Introduced new constants in `DesiredStateCodes` for DKIM, MTA-STS, TLSRPT, and BIMI. * Updated `DesiredStateConfiguration` to include new policies for DKIM, MTA-STS, TLSRPT, and BIMI. * Enhanced `DesiredStateEvaluator` with evaluation methods for DKIM, MTA-STS, TLSRPT, and BIMI. * Improved assessment logic to ensure compliance with the new desired state policies.
…indicator download * Introduced `IncludeMissingDkimSelectors` to verify DKIM records even without existing TXT records. * Added `SkipBimiIndicatorDownload` to allow BIMI verification without downloading the SVG, aiding in drift detection.
* Implemented logic to include missing DKIM selectors in health checks. * Added support for skipping BIMI indicator downloads based on profile settings. * Enhanced the `Verify` method to accommodate new parameters for DKIM and BIMI checks.
…ment - Introduced `DesiredStateDelegationPolicy` to manage delegation settings. - Added `DesiredStateDnssecPolicy` for DNSSEC requirements. - Implemented `DesiredStateSoaPolicy` to enforce SOA record standards. - Created `DesiredStateWildcardDnsPolicy` for managing wildcard DNS behavior. - Added `DesiredStateZoneTransferPolicy` to control zone transfer settings. - Enhanced `DesiredStateEvaluator` to evaluate new policies during domain assessments.
… DANE, delegation, zone transfer, and wildcard DNS * Introduced new policies to enhance domain management capabilities. * Added `mxPolicy`, `nsPolicy`, `caaPolicy`, `dnssecPolicy`, `soaPolicy`, `danePolicy`, `delegationPolicy`, `zoneTransferPolicy`, and `wildcardDnsPolicy`. * Expanded the schema to support additional configurations for improved DNS management.
…SOA, DANE, DELEGATION, ZONETRANSFER, and WILDCARDDNS - Added new configuration options for `mx`, `ns`, `caa`, `dnssec`, `soa`, `dane`, `delegation`, `zoneTransfer`, and `wildcardDns`. - Enhanced the `checks` array to include these new checks for improved security posture evaluation.
…e evaluation * Introduced logic to handle DANE service types based on profile configuration. * Ensured that DANE services are only included if enabled and required services are specified.
…DANE, and delegation policies * Implement tests for `Evaluate_DmarcAspfNotAllowed_AddsError` * Implement tests for `Evaluate_SpfRequiredIncludeMissing_AddsError` * Implement tests for `Evaluate_MxNullMxNotAllowed_AddsError` * Implement tests for `Evaluate_NsTooFewRecords_AddsWarning` * Implement tests for `Evaluate_CaaIssuerNotAllowed_AddsError` * Implement tests for `Evaluate_DnssecChainInvalid_AddsError` * Implement tests for `Evaluate_DnssecRrsigDaysRemainingTooLow_AddsWarning` * Implement tests for `Evaluate_SoaSerialFormatRequired_AddsWarning` * Implement tests for `Evaluate_SoaRefreshOutOfRange_AddsWarning` * Implement tests for `Evaluate_DaneInvalidRecords_AddsError` * Implement tests for `Evaluate_DelegationMismatch_AddsError` * Implement tests for `Evaluate_ZoneTransferAllowed_AddsError` * Implement tests for `Evaluate_WildcardDnsCatchAllNotAllowed_AddsWarning`
…h, FCrDNS, and TTL * Introduced new evaluation methods in `DesiredStateEvaluator` for: - Reverse DNS - FCrDNS - DNSBL - DNS health - TTL policies * Created corresponding policy classes: - `DesiredStateFcrDnsPolicy` - `DesiredStateFlatteningServicePolicy` - `DesiredStateReverseDnsPolicy` - `DesiredStateRpkiPolicy` - `DesiredStateTtlPolicy` * Enhanced existing evaluations to include new checks and assessments based on the defined policies.
…h, TTL, and reverse DNS * Introduced new checks for `DNSHEALTH`, `TTL`, `REVERSEDNS`, `FCRDNS`, and `DNSBL`. * Updated the desired state schema to include new policy definitions. * Enhanced test coverage for TTL and DNS health evaluations. * Added error and warning assessments for various DNS configurations.
…ecurityTxtPolicy classes - Introduced `DesiredStateRobotsPolicy` to manage robots.txt configurations with properties like `enabled`, `requireRecord`, and `disallowFallback`. - Added `DesiredStateSecurityTxtPolicy` for security.txt configurations, including properties such as `requireValid`, `requirePgpSigned`, and `allowedContactEmailDomainSuffixes`. - Both classes include methods for cloning, applying overlays, and normalizing default values.
…cy fragments - Introduced cmdlets for creating desired state policy fragments for: - NS records (`New-DDDesiredStateNs`) - Overrides (`New-DDDesiredStateOverride`) - Reverse DNS (`New-DDDesiredStateReverseDns`) - Robots.txt (`New-DDDesiredStateRobots`) - RPKI (`New-DDDesiredStateRpki`) - Security.txt (`New-DDDesiredStateSecurityTxt`) - SOA records (`New-DDDesiredStateSoa`) - SPF records (`New-DDDesiredStateSpf`) - TLS-RPT (`New-DDDesiredStateTlsRpt`) - DNS TTL (`New-DDDesiredStateTtl`) - Wildcard DNS (`New-DDDesiredStateWildcardDns`) - Zone Transfer (`New-DDDesiredStateZoneTransfer`) - Enhanced `CmdletTestDesiredState` to support in-memory desired state configurations.
…cies with evaluations * Introduced new policies for `Autodiscover`, `SecurityTxt`, and `Robots` in the desired state schema. * Added corresponding evaluations in `TestDesiredState` to ensure compliance checks for these policies. * Enhanced the configuration model to support optional requirements for each policy.
- Introduced `DesiredStateNsPolicy` for managing DNS name server policies. - Added `DesiredStateOpenRelayPolicy` to handle open relay configurations. - Implemented `DesiredStateOpenResolverPolicy` for open resolver settings. - Created `DesiredStateProfile` to encapsulate various security policies. - Developed `DesiredStateSmtpAuthPolicy` for SMTP authentication requirements. - Added `DesiredStateSmtpBannerPolicy` to enforce SMTP banner standards. - Introduced `DesiredStateSpfPolicy` for SPF record validation and requirements. - Created `DesiredStateStartTlsPolicy` to manage STARTTLS configurations. - Implemented `DesiredStateTlsRptPolicy` for TLS Reporting policies. These changes enhance the security posture of the application by providing granular control over DNS and email configurations.
…for email security policies * Introduced new cmdlets for managing desired state configurations for DKIM, DMARC, IMAP TLS, POP3 TLS, SMTP AUTH, SMTP Banner, SMTP TLS, and STARTTLS. * Each cmdlet includes parameters to enforce various security requirements, such as: - Validity checks for records and keys. - Restrictions on deprecated tags and weak policies. - Requirements for specific configurations like STARTTLS support and valid certificate chains. * Enhanced existing cmdlets with additional validation options to improve email security posture.
…il server latency * Introduced a new method `VerifyMailLatency` to assess connection and banner latency across all MX hosts. * Updated health check mappings to include mail latency analysis. * Enhanced logging for better visibility of mail latency targets.
…F, and other security policies - Implemented multiple test cases to evaluate various security policies including DMARC, DKIM, TLS-RPT, MTA-STS, and SPF. - Added checks for invalid records, deprecated tags, and policy violations. - Enhanced the `DesiredStateEvaluator` to ensure compliance with security standards. - Updated the `DesiredStateProfile` to include new validation rules for security assessments. - Improved error handling and reporting for better diagnostics during evaluations.
* Refactor logic to ensure `Target` is not null before trimming. * Enhance readability and maintainability of the version leak assessment.
* Streamlined the logic for trimming and validating host names in `Dns.Security`. * Improved readability and maintainability in `Mail.Smtp` by consolidating target trimming checks.
…hecks * Introduced `RequireMtastsTxtUniformAcrossNs` and `RequireTlsRptTxtUniformAcrossNs` properties to enforce uniform TTLs across name servers for MTA-STS and TLS-RPT TXT records. * Updated `DesiredStateEvaluator` to assess compliance with these new requirements. * Enhanced `TtlRecommendations` to provide guidance on MTA-STS and TLS-RPT TTL uniformity. * Added corresponding tests to ensure functionality and correctness.
* Simplified string trimming and null checks in `DesiredStateEvaluator` classes. * Enhanced readability and maintainability of the code. * Added a shim for init-only setters in .NET Framework compatibility.
* Enhanced null and empty string checks for `countryName`. * Ensured that the method returns false for invalid input, improving robustness.
* Introduced `TestDomainSuffixMatching` to validate domain and subdomain matching logic. * Ensured various scenarios are covered, including edge cases for null and empty strings.
…use `DomainHelper.IsDomainOrSubdomainOf` * Improved the logic for DKIM CNAME suffix matching by utilizing the `DomainHelper.IsDomainOrSubdomainOf` method for better domain validation.
* Introduced `IsExternalInit` class to provide compatibility for init-only setters in frameworks that do not support this feature natively.
…sessment retrieval * Introduced a new method `GetAssessmentProviders` to yield all instances of `IHasAssessments`. * This enhances the functionality of the `DomainHealthCheck` class by allowing easier access to assessment providers.
…uffix validation * Introduced a new method to normalize and validate domain suffixes in `DesiredStateCmdletValidation`. * Ensures that domain suffixes are checked for validity and uniqueness. * Enhances error handling for invalid suffixes, providing clear feedback to the user.
….NET 8 * Simplified UDP receive logic by removing preprocessor directives. * Ensured consistent behavior across different .NET versions.
* Clarified that Excel export requires .NET 8.0+ or net472 on Windows.
…on handling for .NET 8 * Removed conditional compilation for .NET 8 specific connection methods. * Streamlined connection logic to use consistent async patterns across both classes.
…s for .NET 8 compatibility * Moved `DomainHealthCheck.Trim.cs` to a separate file for clarity. * Updated project file to conditionally compile `DomainHealthCheck.Trim.cs` for .NET 8. * Removed unnecessary preprocessor directives from `DomainHealthCheck.Assessments.cs`.
…tion * Cleaned up code by removing `#if NET8_0` directives across multiple files. * Ensured compatibility with current framework without conditional checks. * Improved readability and maintainability of the `ExcelCompositionReport` class.
… compatibility * Removed .NET 8 conditional compilation notes. * Simplified documentation for report generation examples.
Pull Request Review: Desired State Configuration FeatureOverviewThis is an excellent, comprehensive addition to DomainDetective. The Desired State Configuration (DSC) feature adds critical enterprise functionality for detecting drift against organizational baselines. The implementation is well-architected, thoroughly tested, and production-ready. Code Quality: ✅ ExcellentStrengthsArchitecture & Design:
Error Handling:
Code Consistency:
PowerShell Integration:
Test Coverage: ✅ StrongUnit Tests Present:
Coverage Assessment: Security: ✅ SecurePositive Security Features:
No Security Issues Found:
Minor Recommendation: Performance: ✅ Well-OptimizedEfficient Design:
Scalability:
CI/CD Improvements: Documentation: ✅ ComprehensiveDESIRED_STATE.MD:
JSON Schema: PowerShell Examples: Potential Issues:
|
* Changed preprocessor directives from `NET6_0_OR_GREATER` to `NET8_0_OR_GREATER` across multiple protocol analysis files. * Updated asynchronous method calls to utilize the new .NET 8 features for improved performance and readability. * Ensured consistent handling of HTTP requests and responses, including stream reading and writing. * Refactored domain suffix checks to use a helper method for better maintainability.
* Replaced custom domain checking implementation in `DnsCaaIssuerDetector` and `DnsCnameTargetDetector` with a call to `DomainHelper.IsDomainOrSubdomainOf`. * Enhances code readability and maintainability.
* Changed preprocessor directives from `NET6_0_OR_GREATER` to `NET8_0_OR_GREATER` for compatibility. * Ensures that the port scanning logic utilizes the latest .NET features.
* Changed the conditional compilation directive from `NET6_0_OR_GREATER` to `NET8_0_OR_GREATER`. * Ensures compatibility with .NET 8 for the `BgpPrefixMonitor` class.
* Changed preprocessor directives from `NET6_0_OR_GREATER` to `NET8_0_OR_GREATER` in multiple files to ensure compatibility with .NET 8. * Refactored domain checking logic in `DomainHelper` for improved clarity and maintainability. * Enhanced `DomainHealthCheck` methods to streamline assessment retrieval and improve performance.
* Removed conditional compilation for .NET 8 in `TestExcelDashboardDiscoverySmoke` and `TestExcelDkimDetailsSmoke`. * Enhanced error handling in `TestMTASTSAnalysis`. * Updated `RdapAnalysis` tests to use `NET8_0_OR_GREATER`. * Added new test class `TestDomainHelperSuffixMatching` for domain matching logic. * Cleaned up unused references and ensured all tests are compatible with .NET 8.
* Added specific test run names for clarity. * Updated the test command for `DomainDetective.Tests` to include framework-specific conditions. * Ensured tests are run with appropriate verbosity and logging options.
Pull Request Review: Desired State Configuration FeatureSummaryThis is an impressive and comprehensive PR that introduces a Desired State Configuration (DSC-like) layer to DomainDetective. The feature allows organizations to define custom baselines and detect drift/non-conformance against their own standards. The PR adds approximately 16,850 lines across 229 files, implementing a complete policy framework with PowerShell cmdlets, JSON schema validation, and extensive domain health checks. Positive HighlightsArchitecture and Design
Code Quality
Security
Areas for Improvement1. Regex Performance in WildcardMatcher (Medium Priority)Location: DesiredStateProfile.cs:40 The PR introduces wildcard pattern matching for domain overrides. If WildcardMatcher.IsMatch uses unbounded regex, this could be a performance issue with many overrides or complex patterns. Recommendation: Verify WildcardMatcher uses bounded regex with timeout, consider caching compiled regex patterns, and document pattern complexity limits. 2. Missing Integration Tests (Medium Priority)While unit tests cover configuration loading and profile resolution (TestDesiredState.cs), end-to-end integration tests are needed for:
Recommendation: Add integration tests to catch issues in the full pipeline. 3. Workflow Changes Review (Medium Priority)The PR modifies workflow files (.github/workflows/dotnet-tests.yml +17/-4 and powershell-tests.yml +21/-6). Ensure timeout adjustments are appropriate and all tests run on all platforms. 4. Schema Version Validation (Low Priority)Location: DesiredStateConfiguration.cs:58-60 Consider adding an upper bound check to warn/error on future schema versions this code doesn't understand for better forward compatibility. 5. Exception Handling Verbosity (Low-Medium Priority)Location: DesiredStateEvaluator.cs:31-43 While exception swallowing prevents evaluation failures, consider logging at higher severity or adding a fail-fast option for development/testing. Performance Considerations
Security Assessment
No critical security issues identified. Test Coverage AssessmentTests Identified: 9 test files in PR
Recommendation: Aim for 70%+ code coverage on new code, especially evaluator logic. Final VerdictRecommendation: Approve with minor follow-ups This is high-quality work that adds significant value to DomainDetective. The architecture is sound, the API is well-designed, and the documentation is thorough. The identified issues are minor and can be addressed in follow-up PRs or as part of iterative improvements. The desired state configuration feature will enable organizations to enforce custom compliance baselines, making this a valuable enterprise-grade addition. Great work! Review completed using Claude Sonnet 4.5 - PR 1013 |
…andling * Added `HttpStubMessageHandler` to simulate HTTP responses in tests. * Updated `TestAutodiscoverHttpListener` and `TestAutodiscoverHttpListenerResults` to utilize the new handler. * Removed reliance on `HttpListener` for more controlled and predictable test behavior.
Pull Request Review: Desired State Configuration FeatureOverall Assessment: ✅ APPROVED - EXCEPTIONAL QUALITYThis is an outstanding implementation that adds comprehensive custom baseline/desired state configuration capabilities to DomainDetective. The code demonstrates exceptional quality, thorough testing, and excellent architectural design. SummaryLines Changed: +16,993 / -1,097 across 232 files Strengths ✅1. Architecture & Design
2. Code Quality
3. PowerShell Integration
4. Testing
5. Documentation
Issues FoundThread Safety Verification ✅ RESOLVEDLocation: I initially flagged a potential thread safety concern with the regex cache, but upon detailed review, the implementation is correct:
✅ No thread safety issues found. Minor Recommendations (Optional - Low Priority)1. Add Range Validation for
|
* Upgrade `Microsoft.NET.Test.Sdk` to version `18.0.1` * Upgrade `Microsoft.PowerShell.SDK` to version `7.5.4` * Update `xunit.runner.visualstudio` to version `3.1.5` * Introduce `app.config` for assembly binding redirects * Add `xunit.runner.json` for xUnit configuration * Modify `NSAnalysis` to include `AsnLookupTimeoutMs` property * Set `EnableChaosFingerprinting` to `false` in test cases
Pull Request Review: Desired State Configuration FeatureSummaryThis PR introduces a comprehensive Desired State Configuration (DSC) system for DomainDetective, enabling organizations to define custom baselines for domain security posture. This is a substantial and well-architected addition with 17,047 additions across 116 files. StrengthsArchitecture & Design ✅
PowerShell DSL ✅
Comprehensive Coverage ✅
Code Quality ✅
Documentation ✅
Testing ✅
Areas for Improvement1. Security Considerations
|
* Added integration tests for desired state evaluation and profile resolution. * Introduced `IntegrationFactAttribute` for opt-in integration tests. * Updated `DesiredStateConfiguration` to enforce version limits. * Improved wildcard pattern handling and cache eviction logic. * Added `DesiredStateEvaluationOptions` for better error handling during evaluations.
* Introduced `FailFast` parameter to throw on evaluation exceptions. * Added `LogEvaluationErrorsAsErrors` parameter to log exceptions as errors. * Updated tests to validate behavior for new evaluation options. * Adjusted domain pattern matching in integration tests for accuracy.
Pull Request Review: Desired State Configuration FeatureExecutive SummaryThis is an excellent and well-architected PR that introduces a powerful Desired State Configuration (DSC-like) layer to DomainDetective. The implementation is comprehensive, well-tested, and follows solid software engineering practices. Overall Assessment: Approve with minor suggestions Strengths1. Architecture and Design
2. Code Quality
3. Test Coverage
4. Security Considerations
Issues and RecommendationsMinor IssuesMagic Numbers in ValidationSome validation uses magic numbers without constants (MaxDnsLookups range: 0-100, File size limit: 1MB). Recommendation: Consider extracting these to named constants for maintainability. Best Practices Observed
Specific Code Review CommentsDocumentation (DESIRED_STATE.MD)Excellent - Comprehensive documentation with multiple usage examples. The trust boundary and performance notes sections are particularly valuable. Suggestion: Consider adding a Troubleshooting section for common configuration errors. PowerShell DSL ImplementationVery Good - The DSL pattern using ScriptBlock is elegant and provides excellent IntelliSense support. JSON SchemaOutstanding - The 2300+ line JSON schema provides excellent IDE support with IntelliSense. Configuration LoadingSolid - Version checking, file size limits, and proper error messages. Evaluation LogicWell-structured - The partial class approach keeps related evaluation logic organized. Performance and SecurityPerformance
Security
Testing AssessmentComprehensive test coverage including:
Suggestion: Consider adding a test for the file size limit enforcement. Breaking ChangesNone identified - This is purely additive functionality. Recommendations SummaryHigh PriorityNone - the PR is production-ready as-is. Medium Priority
Low Priority
ConclusionThis PR represents outstanding engineering work. The feature is well-designed, thoroughly tested, properly documented, and includes important security considerations. Recommendation: APPROVE The minor suggestions above are optional improvements that can be addressed in follow-up PRs if desired. This PR is ready to merge. Questions for Author
Great work on this feature! |
Desired State (custom baseline)
DomainDetective can detect security posture and provide best-practice recommendations. Some organizations also need a custom baseline to detect non-conformance / drift against their own standards (for example: hosted DMARC reporting services).
This document introduces a first-pass Desired State Configuration (DSC-like) layer:
PowerShell usage
Test a domain against a JSON baseline
Build a baseline in PowerShell (DSL) and test without JSON
New-DDDesiredStatesupports a PowerShell DSL (script block) that returns desired-state fragments (profiles/overrides).Build a baseline using typed .NET classes (no DSL)
All desired state types are regular .NET classes, so you can create and edit them directly in PowerShell.
Load JSON, override values in memory, then test
Export configuration to JSON
There is no dedicated export cmdlet yet; you can serialize the in-memory configuration using the same serializer settings as DomainDetective:
Notes on mail classification overrides
overrides.match.classifications,Test-DDDesiredStateruns mail classification automatically to choose the correct desired state.-NoClassification:Configuration file
Add a
$schemafield for editor IntelliSense:{ "$schema": "./Docs/Schemas/domain-detective.desired-state.schema.json", "version": 1, "defaults": { "checks": [ "DMARC", "SPF", "DKIM", "MTASTS", "TLSRPT", "BIMI", "AUTODISCOVER", "SECURITYTXT", "ROBOTS", "MX", "REVERSEDNS", "FCRDNS", "DNSBL", "NS", "DNSHEALTH", "APEXADDRESS", "RPKI", "EDNSSUPPORT", "DNSOVERTLS", "FLATTENINGSERVICE", "DANGLINGCNAME", "CAA", "DNSSEC", "SOA", "DANE", "DELEGATION", "ZONETRANSFER", "WILDCARDDNS", "TTL" ], "assessmentPolicy": { "suppressCodes": [ "DMARC.Alignment.Mismatch" ] }, "dmarc": { "allowedPolicies": [ "reject", "quarantine" ], "allowedSubdomainPolicies": [ "reject", "quarantine" ], "allowedAspfAlignments": [ "r", "s" ], "allowedAdkimAlignments": [ "r", "s" ], "requireRua": true, "allowedReportDomainSuffixes": [ "dmarc.powermarc.com" ], "requireExternalReportAuthorization": true }, "spf": { "allowedAllMechanisms": [ "-all", "~all" ], "maxDnsLookups": 10, "requiredIncludeDomains": [ "spf.protection.outlook.com" ], "disallowPtr": true }, "dkim": { "requiredSelectors": [ "selector1", "selector2" ], "minKeyBits": 2048, "allowedCnameTargetSuffixes": [ "sendgrid.net" ] }, "mtasts": { "requireRecord": true, "requireEnforce": true, "minMaxAge": 86400 }, "tlsrpt": { "requireRecord": true, "requireValidPolicy": true, "allowedReportDomainSuffixes": [ "tlsrpt.vendor.example" ] }, "bimi": { "requireValidLocation": true, "allowedLocationHostSuffixes": [ "cdn.vendor.example" ], "skipIndicatorDownload": true }, "mx": { "requireRecord": true, "disallowNullMx": true, "allowedHostSuffixes": [ "protection.outlook.com" ] }, "autodiscover": { "requireAutodiscoverCname": true, "allowedAutodiscoverCnameTargetSuffixes": [ "outlook.com", "office365.com" ], "requireAnyValidEndpoint": false }, "reverseDns": { "requirePtrPresent": true, "allowedPtrSuffixes": [ "protection.outlook.com" ], "requireForwardConfirmed": true }, "fcrDns": { "requireAllForwardConfirmed": true }, "dnsbl": { "disallowListings": true, "includeQueryKinds": [ "IpAddressV4", "IpAddressV6" ], "includeIpSources": [ "MxA", "MxAAAA" ] }, "ns": { "requireAtLeastTwo": true, "requireDiversity": false }, "dnsHealth": { "requireServersResponsive": true, "requireSoaSerialConsistent": true, "requireApexAddressesConsistent": true }, "apexAddress": { "disallowPrivateAddresses": true, "disallowLoopbackAddresses": true, "disallowLinkLocalAddresses": true, "disallowMulticastAddresses": true, "disallowDocumentationAddresses": true, "disallowUniqueLocalV6Addresses": true }, "rpki": { "disallowInvalid": true, "treatQueryFailuresAsDrift": false }, "ednsSupport": { "requireAllServersSupported": true, "maxUdpPayloadSize": 1232, "requireCookieSupport": false }, "dnsOverTls": { "requireAnySupported": false, "requireCertificateValid": true, "requireHostnameMatch": true }, "flatteningService": { "allowedTargetSuffixes": [ "cloudflare.net" ] }, "danglingCname": { "disallowDangling": true, "disallowUnclaimedService": true }, "caa": { "requireRecord": true, "requireValid": true, "allowedCertificateIssuers": [ "letsencrypt.org" ] }, "dnssec": { "requireChainValid": true, "minRrsigDaysRemaining": 7 }, "soa": { "requireRecord": true, "requireSerialFormat": false, "minRefresh": 1800, "maxRefresh": 86400 }, "dane": { "requireRecord": false, "requireValidRecords": true, "requiredServices": [ "SMTP" ], "requireRecommendedForSmtp": true }, "delegation": { "requireMatchesParent": true, "requireGlueComplete": true, "requireGlueConsistent": true }, "zoneTransfer": { "disallowUnauthenticatedAxfr": true }, "wildcardDns": { "expectedCatchAll": false }, "ttl": { "minASeconds": 300, "maxASeconds": 86400, "minDmarcTxtSeconds": 3600, "requireAUniformAcrossNs": true }, "securityTxt": { "requireRecord": false, "requireValid": false, "disallowFallback": false, "requireContactEmail": false }, "robots": { "requireRecord": false, "disallowFallback": false, "requireAiBotRules": false, "requireSitemap": false } }, "overrides": [ { "match": { "domainPatterns": [ "*.example.com" ], "classifications": [ "Parked" ] }, "profile": { "spf": { "requireDenyAll": true }, "dmarc": { "requireRua": false }, "apexAddress": { "disallowAnyAddress": true } } } ] }Notes
checkscontrols whichHealthCheckTypemodules are executed for the profile.assessmentPolicycan suppress or re-severity existing built-in assessment codes (useful when your org intentionally deviates from generic best practices).Conformsis calculated from the remaining (post-policy) assessments across all executed checks plus anyDesiredState.*drift findings.dmarc.allowedReportDomainSuffixesenables vendor-specific baselining (for example: requirerua=to use your hosted DMARC provider domain suffix).overrides.match.classificationsuses DomainDetective mail classification (Sending/Receiving/Parked) to pick different desired states per domain role.Current scope
The initial desired state evaluator covers:
ruarequired, report-domain suffix allow-list, and external report authorization checks.allmechanism allow-list, DNS lookup threshold, and "deny-all" requirement.ruarequirement, and report-domain suffix allow-list.The configuration model is intended to be extended to additional checks over time while preserving schema compatibility (versioned config + typed keys).