Closed freddieleeman closed 5 years ago
seanthegeek
commented
5 years ago I never noticed that. Good catch! Some gateways will violate the RFC and add their own delivery-result values with various meanings specific to that gateway/vendor. Pretty annoying. I'll fix the example. Thanks!
freddieleeman
commented
5 years ago We process a lot of DMARC forensic and aggregated reports at URIports and most reports follow RFC rules. A large portion of those that fail have the exact same "smg-policy-action" value. The only search results on "smg-policy-action" lead to parsedmarc. I'm unable to find a specification of "smg-policy-action" anywhere on the web. Maybe system administrators just started copying your example data for some odd reason.
seanthegeek
commented
5 years ago Aha! It just occurred to me: SMG == "Symantec Messaging Gateway". It's letting you know an action was taken due to a local policy on the gateway. I whish Symantec would follow the RFC and just say policy.
I'll leave the example as is then, since it's the only public forensic sample I have (from a third party). That way the sample and the output still match.
freddieleeman
commented
5 years ago Ahha, thanks for clearing that up. We will convert the value to "policy" then. Although I do not understand why you would "support" violation of RFC. If you want I can help you out with a RFC compliant forensic report.
seanthegeek
commented
5 years ago True. I was thinking about that too as soon as I wrote that comment, so I just added some code to normalize that field.
Having a RFC compliant forensic report would be great. Thanks!
freddieleeman
commented
5 years ago As soon as I receive one for one of my own domains I'll send it to you anonymized.
The example has a "Delivery-Result" header with value "smg-policy-action". But the referred to RFC (http://tools.ietf.org/html/rfc6591) only allows "delivered", "spam", "policy", "reject" and "other". Where did this value come from?