Check that fallback A/AAAA records are globally reachable IP addresses, fixes #134

Author: JoshData

CHANGELOG.md

@@ -1,6 +1,7 @@
 In Development
 --------------
 
+* When a domain name has no MX record but does have an A or AAAA record, if none of the IP addresses in the response are globally reachable (i.e. not Private-Use, Loopback, etc.), the response is treated as if there was no A/AAAA response and the email address will fail the deliverability check.
 * When a domain name has no MX record but does have an A or AAAA record, the mx field in the object returned by validate_email incorrectly held the IP addresses rather than the domain itself.
 * Fixes in tests.
 

email_validator/deliverability.py

@@ -1,5 +1,7 @@
 from typing import Optional, Any, Dict
 
+import ipaddress
+
 from .exceptions_types import EmailUndeliverableError
 
 import dns.resolver
@@ -57,9 +59,29 @@ def validate_email_deliverability(domain: str, domain_i18n: str, timeout: Option
             deliverability_info["mx_fallback_type"] = None
 
         except dns.resolver.NoAnswer:
-            # If there was no MX record, fall back to an A record. (RFC 5321 Section 5)
+            # If there was no MX record, fall back to an A or AAA record
+            # (RFC 5321 Section 5). Check A first since it's more common.
+
+            # If the A/AAAA response has no Globally Reachable IP address,
+            # treat the response as if it were NoAnswer, i.e., the following
+            # address types are not allowed fallbacks: Private-Use, Loopback,
+            # Link-Local, and some other obscure ranges. See
+            # https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
+            # https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
+            # (Issue #134.)
+            def is_global_addr(ipaddr):
+                try:
+                    ipaddr = ipaddress.ip_address(ipaddr)
+                except ValueError:
+                    return False
+                return ipaddr.is_global
+
             try:
                 response = dns_resolver.resolve(domain, "A")
+
+                if not any(is_global_addr(r.address) for r in response):
+                    raise dns.resolver.NoAnswer  # fall back to AAAA
+
                 deliverability_info["mx"] = [(0, domain)]
                 deliverability_info["mx_fallback_type"] = "A"
 
@@ -69,6 +91,10 @@ def validate_email_deliverability(domain: str, domain_i18n: str, timeout: Option
                 # (It's unclear if SMTP servers actually do this.)
                 try:
                     response = dns_resolver.resolve(domain, "AAAA")
+
+                    if not any(is_global_addr(r.address) for r in response):
+                        raise dns.resolver.NoAnswer
+
                     deliverability_info["mx"] = [(0, domain)]
                     deliverability_info["mx_fallback_type"] = "AAAA"
 

tests/mocked-dns-answers.json

@@ -60,6 +60,32 @@
    "0 ."
   ]
  },
+ {
+  "query": {
+   "name": "g.mail.com",
+   "type": "MX",
+   "class": "IN"
+  },
+  "answer": []
+ },
+ {
+  "query": {
+   "name": "g.mail.com",
+   "type": "A",
+   "class": "IN"
+  },
+  "answer": []
+ },
+ {
+  "query": {
+   "name": "g.mail.com",
+   "type": "AAAA",
+   "class": "IN"
+  },
+  "answer": [
+   "::1"
+  ]
+ },
  {
   "query": {
    "name": "nellis.af.mil",

tests/test_deliverability.py

@@ -27,6 +27,7 @@ def test_deliverability_found(domain, expected_response):
     [
         ('xkxufoekjvjfjeodlfmdfjcu.com', 'The domain name {domain} does not exist'),
         ('example.com', 'The domain name {domain} does not accept email'),  # Null MX record
+        ('g.mail.com', 'The domain name {domain} does not accept email'),  # No MX record but invalid AAAA record fallback (issue #134)
         ('nellis.af.mil', 'The domain name {domain} does not send email'),  # No MX record, A record fallback, reject-all SPF record.
 
         # No MX or A/AAAA records, but some other DNS records must