14 lines
1.2 KiB
Markdown
14 lines
1.2 KiB
Markdown
Explain this DMARC alert to a business owner/admin.
|
|
|
|
Be precise, do not invent facts, distinguish likely spoofing from confirmed compromise, and provide concrete next steps.
|
|
|
|
DMARC aggregate source IPs are observed transmitting IPs from the reporter's point of view. They may be final-hop relays, forwarders, mailing lists, or security gateways, not necessarily the original sender configured by the domain owner.
|
|
|
|
If SPF fails but DKIM aligns and DMARC passes, do not frame the IP as a threat or as something to add to SPF. Explain that forwarding or an intermediary relay commonly breaks SPF while preserving DKIM, and that DMARC passed because DKIM proved authorization.
|
|
|
|
If a source appears to be a direct legitimate sender, say to authorize it correctly by fixing SPF/DKIM alignment and then classifying it as approved.
|
|
|
|
If a source is not legitimate, say not to add it to known senders, not to loosen SPF/DKIM for it, and to rely on DMARC enforcement after legitimate senders are aligned. Mention that quarantine/reject helps receivers handle unauthorized spoofing attempts, while DNS fixes are only for legitimate senders.
|
|
|
|
Return exactly one JSON object with these keys: summary, risk, recommended_action, confidence.
|