NSAuditor AI EE 0.5.0 Ships SES Email Integrity Auditor v2 — DKIM CNAME DNS Resolution + DMARC TXT Parser + SES Classic API Parity; First Network-Layer Cross-Reference in the EE Evidence Baseline

nsamag May 17, 2026

EE 0.5.0 milestone bump — SES Auditor v2 ships DKIM CNAME DNS + DMARC TXT parser + SES classic API parity. First network-layer cross-reference in the EE evidence baseline.

nsauditor-ai-ee-0-4-9-elasticache-redis-auditor-v2-kms-subnet-route-table

What’s new: Nsasoft US LLC has shipped NSAuditor AI Enterprise Edition 0.5.0 — the minor-version milestone bump from 0.4.x. The release extends the SES Email Integrity Auditor (plugin 1190) with DKIM CNAME DNS resolution promotion, a DMARC TXT record parser, and SES classic API parity. It is the first ship to add a network-layer cross-reference (live DNS resolution via node:dns/promises) to the AWS-SDK-substrate evidence baseline — a structurally distinct evidence-acquisition surface from prior 0.4.x cycles, which justifies the 0.5.0 bump even though the coverage matrix stays unchanged at 10/4/33.

EE 0.5.0 ships as the sixth consecutive trio-publish alongside CE 0.1.49 and agent-skill 0.1.16. EE plugin count remains 20.

Part A — DKIM CNAME DNS resolution promotion (dim 1)

Closes the canonical false-CLEAN window where SES reports DkimAttributes.Status=SUCCESS but the DNS CNAME records were subsequently rotated or removed by an operator without re-verifying. Each <token>._domainkey.<identityDomain> CNAME is now resolved and matched against <token>.dkim.amazonses.com (case-insensitive per RFC 1035 §2.3.3). Four outcomes: PASS ses-dkim-dns-verified, MEDIUM ses-dkim-dns-partial, HIGH ses-dkim-dns-missing (the production false-CLEAN closure firing), and LOW + evidenceGap ses-dkim-dns-unverifiable. Per-token parallelism via Promise.allSettled; per-identity sequential ordering for predictable caching.

Part B — DMARC TXT record parser with R-CRITICAL-1 closure (dim 2)

RFC 7489 §6.4 tag-list parser + _dmarc.<identityDomain> TXT lookup. Five outcomes: PASS reject, MEDIUM quarantine, HIGH none, HIGH missing, and LOW + evidenceGap unverifiable.

The R-CRITICAL-1 same-session fold (false-CLEAN closure): pct=0 on p=reject or p=quarantine is functionally equivalent to p=none — zero percent of failing mail is enforced. Pre-fold the auditor emitted PASS for the real-world misconfig “p=reject; pct=0”; v2 routes it to HIGH ses-dmarc-policy-none with a dmarcZeroPctEnforcement: true flag regardless of the declared p= tag.

R-HIGH-1 subdomain-takeover false-NEGATIVE closure: DMARC sp subdomain-policy override now evaluated per RFC 7489 §6.3 — p=reject; sp=none downgrades to HIGH with dmarcSpWeakens: true (subdomain phishing and dev-subdomain attacks wide open while apex is protected); p=reject; sp=quarantine downgrades to MEDIUM.

Part C — SES classic GetIdentityPolicies parity (dim 4)

Cross-API discrepancy detection between SES classic ListIdentityPolicies/GetIdentityPolicies and SESv2 GetEmailIdentity.Policies. The canonical false-NEGATIVE class is a classic-only policy: an operator added the policy via the SES classic API but the SESv2-only enumeration would silently miss it → HIGH ses-classic-policy-discrepancy. Same-name doc-divergent → MEDIUM; SESv2-only → INFO. Conservative on classic SDK unavailable or AccessDenied → LOW + evidenceGap.

Real-DNS smoke validation END-TO-END

  • DMARC resolution against production DNS: _dmarc.nsasoft.us parsed correctly — p=reject, sp=reject (default), pct=100; forward-compat fo=1 tag preserved in rawTags.
  • Empty-account SESv2 baseline succeeded end-to-end against 522412052794 (durationMs ~3.8s, no AccessDenied, 2 INFO findings).

Tests, regression, and ecosystem

  • +91 new tests across the v2 cycle (53 v2 base + 19 reviewer-fold pin + 19 others). Plugin 1190 test count grew 116 → 207 across 24 → 40 suites.
  • Full regression 4787/4787 green. 46-session 100% green streak preserved.
  • 11 new soc2.json mapping rules.
  • agent-skill 0.1.16: plugin 1190 row updated to v2 — sixth consecutive catalog refresh.
  • CE 0.1.49: paired-release docs-only patch.

Who’s affected

AWS SES adopters and email-integrity engineers; email-deliverability and brand-protection teams (DMARC pct=0 + sp override closures); legacy SES classic users (cross-API parity catches operator-added classic-API policies); SOC 2 readiness teams and Type-II audit firms; AI-coding-agent users.

Install

npm install -g nsauditor-ai@0.1.49 @nsasoft/nsauditor-ai-ee@0.5.0
npm install nsauditor-ai-agent-skill@0.1.16

Sources

Related Posts:

More Stories

nsauditor-ai-ee-0-6-1-inspector2-guardduty-auditor

NSAuditor AI EE 0.6.1 Adds NEW Plugin 1200 AWS Inspector2 / GuardDuty Enablement Auditor — Foundation-Layer SOC 2 Evidence for CC7.1 + CC7.2 (Plugin Count 21 → 22)

nsamag May 17, 2026
praisonai-cve-2026-44338-auth-bypass-rapid-exploit

PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure

nsamag May 17, 2026
ghostwriter-ukrainian-government-geofenced-pdf-phishing

Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike

nsamag May 17, 2026

You may have missed

nsauditor-ai-ee-0-6-1-inspector2-guardduty-auditor

NSAuditor AI EE 0.6.1 Adds NEW Plugin 1200 AWS Inspector2 / GuardDuty Enablement Auditor — Foundation-Layer SOC 2 Evidence for CC7.1 + CC7.2 (Plugin Count 21 → 22)

nsamag May 17, 2026
praisonai-cve-2026-44338-auth-bypass-rapid-exploit

PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure

nsamag May 17, 2026
ghostwriter-ukrainian-government-geofenced-pdf-phishing

Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike

nsamag May 17, 2026
nsauditor-ai-ee-0-6-0-privatelink-auditor-milestone

NSAuditor AI EE 0.6.0 Milestone — NEW Plugin 1160 AWS VPC Endpoints / PrivateLink Auditor Opens v0.6.x Line With Plugin-Breadth Expansion (Plugin Count 20 → 21)

nsamag May 17, 2026
18-year-old-nginx-rewrite-module-rce

18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE

nsamag May 17, 2026