What’s new: NSAuditor AI EE 0.5.3 ships SES Auditor v3 with DKIM public-key fingerprint pinning and an in-band DMARC alignment classifier. The pin-mode catches a class of attacks the v2 CNAME-chain validation alone can’t see — unauthorized rotation, supply-chain attacks, and DNS-layer key substitution. Ninth consecutive trio-publish (EE + CE 0.1.52 + agent-skill 0.1.19); EE plugin count unchanged at 20.
How DKIM pinning works
v2 verified that the DNS delegation chain was intact (the CNAME for <token>._domainkey.<domain> resolves to <token>.dkim.amazonses.com). v3 goes one layer deeper: it reads the TXT record at the resolved name, parses the RFC 6376 §3.6.1 tag-list, and SHA-256-fingerprints the base64-decoded public-key bytes. If the operator has pinned a baseline, MISMATCH is deterministic.
The R-CRITICAL fold
_stripControlChars silently truncated text at 256 chars — but real-world DKIM RSA-2048 keys produce TXT records ~360-700 chars long. Pre-fold this produced wrong SHA-256 fingerprints (false-CLEAN pin matches OR false-MISMATCH). Discovered by tests, not by reviewer. A new _stripControlCharsNoTruncate helper bypasses the cap at the cryptographic-data surface only.
What else
- Short-key floor (≥128 bytes) catches
p=empty + 1-byte substitution attacks. - Multiple-record detection routes to LOW + evidenceGap instead of silently parsing only the first record.
- DMARC alignment classifier projects whether the identity’s actual config can ever satisfy
adkim/aspfalignment.
Numbers
- Plugin count UNCHANGED at 20
- +61 new tests; EE full regression 4962/4962 across 778 suites
- 49-session 100% green streak preserved
- Ninth consecutive trio-publish
Install
npm install -g nsauditor-ai@0.1.52 @nsasoft/nsauditor-ai-ee@0.5.3
npm install nsauditor-ai-agent-skill@0.1.19
