Open davidande opened 2 years ago
@davidande , I believe this is partially available in the parsedmarc results if you use the kibana discover panel and filter on policy_overrides.type
or policy_overrides.comment
, but it'd be useful to surface this if appropriate.
As to how to integrate this into the dashboards to help distinguish failures we should not care about, that I'm unsure of and currently trying to figure out as I'm currently wrestling with this too.
For anyone down the line, the situation we're in is that we think there's a specific 3rdpartydomain that's sending on our behalf via gmail forwards to an intermediatetool. both us and them use google as our mail host, so all dmarc reports are exclusively from google, and parsedmarc is interpretting them all as dmarc failures, but which I'm (currently) struggling to find evidence of them failing within any mailboxes, and the arc policy is showing as a pass according to the reports.
For example, google reports its local_policy allowed these emails to pass based on arc, but the rest of the record shows failures, and there's nothing else useful from here, so currently uncertain if these are genuine failures that could impact sender scores, or if the way parsedmarc interprets them is incorrect and I just need to feed that back.
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
<report_metadata>
<org_name>google.com</org_name>
<email>noreply-dmarc-support@google.com</email>
<extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
<report_id>11749869081117049543</report_id>
<date_range>
<begin>1651968000</begin>
<end>1652054399</end>
</date_range>
</report_metadata>
<policy_published>
<domain>ourdomain.org</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>none</p>
<sp>none</sp>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>2600:1901:101::8</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
<reason>
<type>local_policy</type>
<comment>arc=pass</comment>
</reason>
</policy_evaluated>
</row>
<identifiers>
<header_from>ourdomain.org</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>ourdomain.org</domain>
<result>fail</result>
<selector>s1</selector>
</dkim>
<spf>
<domain>3rdpartydomain</domain>
<result>softfail</result>
</spf>
</auth_results>
</record>
<record>
<row>
<source_ip>209.85.220.41</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
<reason>
<type>local_policy</type>
<comment>arc=pass</comment>
</reason>
</policy_evaluated>
</row>
<identifiers>
<header_from>ourdomain.org</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>ourdomain.org</domain>
<result>fail</result>
<selector>s1</selector>
</dkim>
<spf>
<domain>3rdpartydomain</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
</feedback>
Thanks policy_overrides.comment give very interesting info depending result:
looks forwarded, downgrade to quarantine with phishing warning
arc=fail
arc=pass
xoar=pass
don't know what is the last one
Hello, There is one thing that is missing in PARSEDMARC: ARC ARC is used avoid auto transfered mails to result a fail DKIM check. https://mxtoolbox.com/dmarc/details/arc/dmarc-authenticated-received-chain
I have seen that in some DMARC report suppliers like EASYDMARC, mails that have been transfered are notified TRANSFERED.
Did a transfered mail is seen in PARSEDMARC as failled?
Should it be possible to implement ARC in PARSEDMARC?
Thanks
David
ARC Reports is not by default part of DMARC RFC Standard. Some reporters are kind enough to tell something in the Comment section.. but Microsoft is not. Until there is a new ARC Report standard or the RFC of DMARC is updated to include ARC Results, you need to do your best of sorting it out in Kibana with the data Parsedmarc is able to get out from the XML Reports.
Hello, There is one thing that is missing in PARSEDMARC: ARC ARC is used avoid auto transfered mails to result a fail DKIM check. https://mxtoolbox.com/dmarc/details/arc/dmarc-authenticated-received-chain
I have seen that in some DMARC report suppliers like EASYDMARC, mails that have been transfered are notified TRANSFERED.
Did a transfered mail is seen in PARSEDMARC as failled?
Should it be possible to implement ARC in PARSEDMARC?
Thanks
David