Add DMARC disposition to the Report Detail filter

[KlaasBonnema]

You may have to look at the Report Detail report to find what actually is happening for a specific set of reporting entries. While you can filter on SPF or DKIM alignment it is currently not possible to filter on DMARC disposition. Even if both SPF and DKIM do not align the mail server may still decide to deviate from the published DMARC policy.

The request is to add a DMARC filter (none, quarantine, policy)

Also adjust the disposition display inside an entry to green for none and red for quarantine or reject.

[liuch]

Even though I've never needed such a thing, I think it's worth implementing.

[KlaasBonnema]

I currently have several reports that are not aligned but have a disposition of none with our DMARC policy as quarantine.

[liuch]

Also adjust the disposition display inside an entry to green for none and red for quarantine or reject.

"None" doesn't always mean that all is well. You can get disposition "none" when you have problem with spf and dkim alignment because you have p:none or pct different from 100 in your published policy. So I do not sure that use green with "none" is a good idea.

[KlaasBonnema]

Disposition "none" means that DMARC does not give an advice to the mail server to "quarantine" (send to spam) or "reject" (bounce) the mail. The final decision is up to the mail server and often a spammy content will still cause a spam or bounce. On the other hand an alignment fail of both SPF and DKIM may not always cause a quarantine or reject disposition. I guess what you are saying is that disposition "none" says - there is no convincing evidence to give a guilty verdict.

My reasoning to mark disposition none as green is that it is a visual indicator that quickly tells you the status of the three major factors in DMARC reporting. Red is stop, green is go - with a green disposition the mail may proceed, even if the DMARC policy would never cause a red.

You could combine policy p:, sp:, np: with disposition: none and only mark green with a DMARC quarantine or reject policy. I would however not bother and just consistently use green or red for none or not none.

[liuch]

The user may think that having a green color means that all is well and no action needs to be taken. Here's an example:

Do you like this indication? It may seem like there is no problem with these messages, but in fact, there is a problem. The color green doesn't help here, on the contrary it gives a false sense that all is well.

Here is another example:

The disposition is red here. It looks like there is a problem. In fact, it's a standard system response to spam. It's routine. Maybe it shouldn't be green, but I don't think red is appropriate here either.

[KlaasBonnema]

Example 1: Without looking at the color marking of the disposition it would tell me that with DKIM and SPF failing it would be logical that DMARC disposition should be reject but for some reason it is not for this record. An explanation can be that it falls in the 75% of mails that were not influenced because of the pct:25 setting. It must be the intention of the domain owner that 75% of the e-mails is delivered without regard for the DMARC disposition. I see records with disposition: none where there is an Evaluated reason that explains that the mail was likely forwarded. Main conclusion here - these mails did not get quarantined or rejected because of the DMARC disposition advice.

Second example: with DKIM and SPF fail and disposition reject I would assume that the DMARC evaluation has advised to bounce the e-mail. I cannot see the independent effect of the SPAM evaluation which may take in account various other factors besides DMARC disposition such as occurance of certain words in the text, occurrance of certain external links, ip or domain reputation and more. In this example the DKIM auth and SPF auth result is pass, telling me that SPF and DKIM evaluation as such passed but the DMARC alignment with the From: header domain failed. This indicates a high probabillity of a spoofed address on a spam or fishing mail. I have no indication that the disposition: reject in the DMARC report is caused by a SPAM evaluation instead of just the DMARC evaluation. I do expect that regardless of SPAM score the e-mail was bounced by the receiving server.

With both examples the DMARC disposition tells me what the advice was to the receiving mail system. I can only positively tell if the mail was placed in the inbox, spam folder or bounced when I am able to access that mail account.

[liuch]

I have no beef with the way these letters were handled by the receiving party. My question was whether the coloring (red/green) for these two examples was adequate given expectations of ordinary users.

[KlaasBonnema]

I interprete the reported disposition as what has been evaluated by the receiving server. If it deviates, like it does with detected forwards, then it is what it is, green or red, pass or fail. As you may have noticed in Authentication-Results: headers it is common to indicate a dmarc result as pass or fail.