For some time (going back to before Sympl forked) there’s been a problem checking what DNS is actually public, versus what Sympl thinks it should have.
I’ve spent some time and built a script which you can run against a domain, and it will check the domain health in general (nameservers are consistent), then iterate through the current DNS templates in
/srv/example.com/config/dns/*.txt and compare their contents against public results.
It’s very early, and may well have some interesting bugs, but it do have a go and see what you think.
As an example…
root@sympl:~# ./sympl-dns-audit sympl.host Detecting authoritative DNS servers... ok Nameserver 1: ns1.mythic-beasts.com Nameserver 2: ns2.mythic-beasts.com Checking authoritative servers are in-sync... ok, will use 'ns1.mythic-beasts.com' for queries ok sympl.host A 18.104.22.168 ok ftp.sympl.host A 22.214.171.124 ok www.sympl.host A 126.96.36.199 ok mail.sympl.host A 188.8.131.52 ok mx.sympl.host A 184.108.40.206 ok sympl.host AAAA 2a00:1098:88::3:1 ok ftp.sympl.host AAAA 2a00:1098:88::3:1 ok www.sympl.host AAAA 2a00:1098:88::3:1 ok mail.sympl.host AAAA 2a00:1098:88::3:1 ok mx.sympl.host AAAA 2a00:1098:88::3:1 ok sympl.host MX mx.sympl.host. warn sympl.host TXT expected "v=spf1 +a +mx -all" got "v=spf1 a mx ip6:2a00:1098:88::3:2 a:sympl.host -all" "google-site-verification=PLy31m_2atEDmGh4p-rkmd8lNfmiZdV5cyhYi9hc8uk" ok default._domainkey.sympl.host TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx5d846+Kwm/+Wo5k8Y1SyV2uFHZaGETpPLeFcTV5vu9cVoP2OFnOFVVtAPQ1J8MLSVpH0mJX27sw2RGGImFWvlIVFmhX4bhk3rIwEUBuL4+jwEmk5LjIpwdZtzUVxJzJfCsE/rEdXTPohmOJI6DxDaVciVPF1UBTGFbFsUJV9tJ3FCsbbi+lGmZBtMJn9NNlfcM2uPHY2urwUKiKNi/UrrBP0fHwOlVjLGOyG1ugxbC1jsS37cpRQ8kxLoIVxJ/un4cZo3tWDqkytLDXM11DSrF/TWbS3ENCsuxHvOMuuin+AJFN3P1KIiGrGynH3f6tOEgTcS3MQ0CNPP/HuJuP+QIDAQAB" ok _dmarc.sympl.host TXT "v=DMARC1; p=quarantine; sp=none"
Give it a go and let me know how it works.