IMAP input skips messages without "Report Domain:" in the subject

[tfrederick74656]

Splunk 9.0.3 TA-dmarc 4.1.1

The IMAP input appears to only select messages with the text "Report Domain:" in the subject.

# TA-dmarc/bin/dmarc/imap2dir.py:164
messages = self.server.search('SUBJECT "Report domain:"')

2/4/2312:32:55.388 PM | 2023-02-04 17:32:55,388 INFO pid=11780 tid=MainThread file=base_modinput.py:log_info:295 | get_dmarc_messages: 34 messages in folder INBOX match subject "Report domain:" 2/4/2312:32:55.329 PM | 2023-02-04 17:32:55,329 INFO pid=11780 tid=MainThread file=base_modinput.py:log_info:295 | get_dmarc_messages: 41 messages in folder INBOX

However, we regularly see reports from multiple orgs that don't adhere to this standard:

Could this check be safely skipped by default, or at least the ability to customize the filter be added as an option in the UI?

As a temporary workaround, I've updated the code to messages = self.server.search(). The search() function in imapclient specifies a default argument of ALL for the search criteria, so this simply returns all messages.

Thanks for all your work on this wonderful app, it's an absolute lifesaver :)

[jorritfolmer]

Good to know your workaround works! The “Report domain:” subject is a SHOULD item in the DMARC RFC 7489 in paragraph 7.2.1.1. That makes it a (strong) recommendation but not a requirement so I guess it could be skipped.

I’ll update the UI if there are other issues that need to be fixed. Let’s leave this issue open until then.

[tfrederick74656]

Sounds good, thanks! I'll report back in a week or so if we run into any issues with that workaround, but so far, so good.