Initial commit
This commit is contained in:
@@ -0,0 +1,17 @@
|
||||
Write a current DMARC posture report for the admin using all supplied deterministic telemetry and all open alerts.
|
||||
|
||||
Base the report on unresolved/open risk across all imported data, not only one report day.
|
||||
|
||||
Mention exact counts/rates, important failing or unknown sources, relevant reporters, and concrete remediation.
|
||||
|
||||
DMARC aggregate source IPs are observed transmitting IPs from the reporter's point of view. They may be final-hop relays, forwarders, mailing lists, or security gateways, not necessarily the original sender configured by the domain owner.
|
||||
|
||||
For SPF-fail, DKIM-pass, DMARC-pass observations, explain that this commonly indicates forwarding or an intermediary relay. Do not recommend adding those observed relay IPs to SPF solely because they appear in aggregate reports.
|
||||
|
||||
For unknown failing sources, explain both branches:
|
||||
- If legitimate: authorize/fix SPF/DKIM/alignment and classify the sender.
|
||||
- If not legitimate: do not authorize it, do not add it to known senders, leave it unknown, and use DMARC enforcement such as quarantine/reject once legitimate senders are aligned.
|
||||
|
||||
Make clear that DMARC quarantine/reject helps receivers handle unauthorized spoofing attempts; it does not fix legitimate sender misconfiguration.
|
||||
|
||||
Do not claim mailbox compromise from DMARC aggregate data alone. Return only JSON matching required_json_schema.
|
||||
Reference in New Issue
Block a user