DEV Community

Omobolaji Adeyan
Omobolaji Adeyan

Posted on

PhishGuard AI

I have added explainable SPF, DKIM, and DMARC signals to PhishGuard AI, my open-source Python phishing-detection project.

The implementation parses a trusted receiver's Authentication-Resultsheader and treats authentication failures as supporting evidence rather thanproof of phishing.

Measured regression examples:

  • A legitimate forwarded message with SPF failure remained SAFE, moving from 0.3149 to 0.3595.
  • A synthetic credential lure with SPF, DKIM, and DMARC failures moved from 0.6525 SUSPICIOUS to 0.8220 PHISHING.

Pass results do not reduce the risk score because authenticated infrastructure can still send malicious messages. Missing, malformed, and unsupported values remain unknown.

The change includes case-insensitive parsing, forwarding false-positive coverage, CLI support, documentation, packaging verification, repository policy checks, CodeQL, and tests across Python 3.10 through 3.13.

Pull request and engineering evidence:
https://github.com/omobolajiadeyan/phishguard-ai/pull/21

The project now also has a one-minute safe demo and a guide for first-time contributors:

https://github.com/omobolajiadeyan/phishguard-ai

I welcome technically grounded feedback, testing, documentation improvements, and focused open-source contributions.

Cybersecurity #Python #EmailSecurity #OpenSource #DevSecOps

Suggested Featured Link

Title: Explainable SPF, DKIM and DMARC Signals in PhishGuard AI

URL: https://github.com/omobolajiadeyan/phishguard-ai/pull/21

Description: Conservative email-authentication scoring with false-positive regressions, documented trust boundaries, cross-version tests, CodeQL, and reproducible before-and-after results.

Top comments (1)

Collapse
 
bee_jay_02323085f42bf995f profile image
Bee Jay

Smart design choice treating auth failures as evidence rather than verdict — SPF breaks on forwarded mail all the time, so a hard signal there would create more noise than value.

The regression tests are the real proof of work here. Forwarded message stays SAFE, credential lure with all three failures crosses into PHISHING. That’s the behavior you want.

Worth looking at ARC headers down the road — built exactly for preserving auth state across forwarding hops.

Not letting passes reduce risk score is the right call too. Authenticated infrastructure sends malicious mail more than people think.