Changelog

Full history of updates, fixes, and new features — most recent first.

v1.3.0 April 2026 Security current

Security hardening & penetration testing

Security fixes

SECXSS via crafted XML — org name, domain, email and report ID from DMARC XML are now HTML-escaped with a dedicated esc() helper before any DOM insertion. A malicious report file could previously execute JavaScript in the browser.

SECSSRF in iplookup.php — removed CURLOPT_FOLLOWLOCATION and added a strict URL allowlist. PHP curl calls are now restricted to ip-api.com and ipinfo.io only, preventing server-side redirect to internal addresses.

SECDoS via recursive SPF includes — the SPF parser now hard-limits recursion to 4 levels and 20 total DNS calls, preventing a crafted domain from exhausting server resources.

SECRate limiting — all three PHP endpoints now enforce per-IP rate limits (30–60 req/min) via APCu, with HTTP 429 responses on excess.

SECDomain format validation — stricter hostname regex now rejects double-dot labels (example..com), leading hyphens, and other malformed inputs. Private/reserved hostnames (localhost, .local, .internal) are explicitly blocked.

SECSecurity headers — added X-Content-Type-Options: nosniff, X-Frame-Options: DENY, and Content-Security-Policy to all PHP endpoints and HTML pages.

SECTab hijacking — all target="_blank" links now include rel="noopener noreferrer".

SECDKIM tag sanitisation — DNS-derived DKIM tag values are now sanitised before inclusion in JSON output. json_encode() called with JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_AMP | JSON_HEX_QUOT flags.

New files

NEWnginx-security.conf — ready-to-use nginx snippet with HSTS, full CSP, PHP file whitelist, and rate limiting zones.

NEW.htaccess — Apache/cPanel equivalent with security headers, PHP file whitelist, and hidden file blocking.

NEWSECURITY.md — deployment security checklist, SRI hash generation instructions, pentest summary table, and data privacy notes.

NEWchangelog.html — this page. Separate file for easy maintenance without touching application code.

v1.2.0 April 2026 Major

Multi-page architecture, DNS tools & client report

New pages

NEWDNS Tools page (tools.html) — live SPF record checker parses all mechanisms, expands include: chains, counts DNS lookups against the 10-lookup limit, and flags issues. DKIM selector checker looks up keys, shows type, bit-length, revocation status, and testing mode flag.

NEWClient Report page (client.html) — generates a clean non-technical summary with pass rate gauge, plain-English status, sender list, and auto-generated action items. Supports optional client name, technician notes, and Print / Save as PDF.

Report Viewer enhancements

NEWActions column in sources table — per-row quick links to SPF check, DKIM check (selector pre-filled), AbuseIPDB reputation lookup, and WHOIS. DNS Tools page opens with domain and selector pre-populated.

NEWPass rate trend chart — automatically appears when two or more reports are loaded, showing pass rate over time using Chart.js.

NEWTechnician notes — freeform text area per report, auto-saved to browser localStorage keyed by report ID. Persists across sessions.

NEWCSV export — downloads all source rows including sender label, diagnosis text, auth detail, and override reasons.

NEWPrint / Save as PDF — clean A4 landscape print stylesheet hides all UI chrome, preserves colour coding, and adds a formatted report header.

NEWNavigation bar — links all three pages with active state indicator.

Server-side

NEWspf-lookup.php — server-side SPF DNS resolver with recursive include expansion.

NEWdkim-lookup.php — server-side DKIM selector lookup with key strength estimation.

v1.1.0 April 2026 Minor

IP lookup, sender recognition & tech diagnostics

IP lookup

NEWiplookup.php proxy — server-side IP lookup avoids browser CORS restrictions. Queries ip-api.com with ipinfo.io fallback.

NEWKnown sender database — built-in recognition of Google Workspace, Microsoft 365, Amazon SES, SendGrid, Mailchimp/Mandrill, Mailgun, Postmark, Cloudflare, and Tor exit nodes. Resolves instantly without a network call.

NEWSender badge displayed under each source IP — colour-coded green (known ESP), blue (cloud/CDN), red (suspicious), grey (live lookup).

FIXZIP file support — added JSZip library. Reports delivered as .zip containing .xml or .xml.gz now load correctly. Previous version threw an error for all ZIP files.

Diagnostic detail

NEWPlain-English diagnosis per source row — distinguishes DKIM signature failure, DKIM alignment mismatch, SPF fail, SPF alignment mismatch, SPF softfail, temperror, permerror, and missing records.

NEWAlert cards — failing and partial-pass sources surfaced above the table in red/amber cards with full detail so techs don't have to scan rows.

NEWPolicy override reasons — reason elements (forwarding, mailing list, local policy) shown as purple tags.

NEWGranular auth result codes — softfail, temperror, permerror, neutral shown with distinct pill colours rather than collapsed to pass/fail.

NEWDKIM selector displayed — full d= domain and s= selector shown in auth detail column.

NEWEnvelope-from shown separately — only displayed when it differs from header-from, the key indicator of SPF alignment failures.

NEW"How to read this report" panel — collapsible info panel explaining report flow (receiver → domain owner), key field definitions, and DKIM vs SPF alignment distinction.

NEWRow status indicators — green/amber/red dot per row for instant visual triage.

NEWSender legend — colour key above the sources table explaining badge colours.

NEWMulti-report tabs — load multiple files and switch between them with a tab bar.

v1.0.0 April 2026 Major

Initial release — core report viewer

NEWDMARC XML report parser — reads and parses DMARC aggregate report XML in the browser, fully client-side.

NEWFile input — drag-and-drop or browse for .xml and .xml.gz (gzip) report files, plus paste raw XML directly.

NEWSummary statistics — total messages, passed, failed, and pass rate with colour-coded health status.

NEWPolicy published section — displays p=, sp=, DKIM/SPF alignment mode, pct=, and reporting organisation.

NEWSource table — per-IP breakdown of DKIM aligned, SPF aligned, disposition, header-from, envelope-from, and raw auth results.

NEWDark theme UI — IBM Plex Sans / IBM Plex Mono typography, fully responsive layout.

NEWPrivacy-first — no data transmitted, no analytics, no accounts. Entire viewer runs in the browser.