18 lines
1.3 KiB
Markdown
18 lines
1.3 KiB
Markdown
Write a current DMARC posture report for the admin using all supplied deterministic telemetry and all open alerts.
|
|
|
|
Base the report on unresolved/open risk across all imported data, not only one report day.
|
|
|
|
Mention exact counts/rates, important failing or unknown sources, relevant reporters, and concrete remediation.
|
|
|
|
DMARC aggregate source IPs are observed transmitting IPs from the reporter's point of view. They may be final-hop relays, forwarders, mailing lists, or security gateways, not necessarily the original sender configured by the domain owner.
|
|
|
|
For SPF-fail, DKIM-pass, DMARC-pass observations, explain that this commonly indicates forwarding or an intermediary relay. Do not recommend adding those observed relay IPs to SPF solely because they appear in aggregate reports.
|
|
|
|
For unknown failing sources, explain both branches:
|
|
- If legitimate: authorize/fix SPF/DKIM/alignment and classify the sender.
|
|
- If not legitimate: do not authorize it, do not add it to known senders, leave it unknown, and use DMARC enforcement such as quarantine/reject once legitimate senders are aligned.
|
|
|
|
Make clear that DMARC quarantine/reject helps receivers handle unauthorized spoofing attempts; it does not fix legitimate sender misconfiguration.
|
|
|
|
Do not claim mailbox compromise from DMARC aggregate data alone. Return only JSON matching required_json_schema.
|