Taoquitok
commented
2 years ago @davidande , I believe this is partially available in the parsedmarc results if you use the kibana discover panel and filter on policy_overrides.type or policy_overrides.comment, but it'd be useful to surface this if appropriate.
As to how to integrate this into the dashboards to help distinguish failures we should not care about, that I'm unsure of and currently trying to figure out as I'm currently wrestling with this too.
For anyone down the line, the situation we're in is that we think there's a specific 3rdpartydomain that's sending on our behalf via gmail forwards to an intermediatetool. both us and them use google as our mail host, so all dmarc reports are exclusively from google, and parsedmarc is interpretting them all as dmarc failures, but which I'm (currently) struggling to find evidence of them failing within any mailboxes, and the arc policy is showing as a pass according to the reports.
For example, google reports its local_policy allowed these emails to pass based on arc, but the rest of the record shows failures, and there's nothing else useful from here, so currently uncertain if these are genuine failures that could impact sender scores, or if the way parsedmarc interprets them is incorrect and I just need to feed that back.
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
<report_metadata>
<org_name>google.com</org_name>
<email>noreply-dmarc-support@google.com</email>
<extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
<report_id>11749869081117049543</report_id>
<date_range>
<begin>1651968000</begin>
<end>1652054399</end>
</date_range>
</report_metadata>
<policy_published>
<domain>ourdomain.org</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>none</p>
<sp>none</sp>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>2600:1901:101::8</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
<reason>
<type>local_policy</type>
<comment>arc=pass</comment>
</reason>
</policy_evaluated>
</row>
<identifiers>
<header_from>ourdomain.org</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>ourdomain.org</domain>
<result>fail</result>
<selector>s1</selector>
</dkim>
<spf>
<domain>3rdpartydomain</domain>
<result>softfail</result>
</spf>
</auth_results>
</record>
<record>
<row>
<source_ip>209.85.220.41</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
<reason>
<type>local_policy</type>
<comment>arc=pass</comment>
</reason>
</policy_evaluated>
</row>
<identifiers>
<header_from>ourdomain.org</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>ourdomain.org</domain>
<result>fail</result>
<selector>s1</selector>
</dkim>
<spf>
<domain>3rdpartydomain</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
</feedback>
davidande
Kuzuto
Hello, There is one thing that is missing in PARSEDMARC: ARC ARC is used avoid auto transfered mails to result a fail DKIM check. https://mxtoolbox.com/dmarc/details/arc/dmarc-authenticated-received-chain
I have seen that in some DMARC report suppliers like EASYDMARC, mails that have been transfered are notified TRANSFERED.
Did a transfered mail is seen in PARSEDMARC as failled?
Should it be possible to implement ARC in PARSEDMARC?
Thanks
David