Workflow guide · Email authentication

Turn DMARC aggregate files into a reviewer-owned remediation queue

The useful output is not a colorful pass-rate chart. It is a deduplicated set of material sources, explicit ownership labels, alignment evidence, and actions tied to the domain’s intended mail flow.

Guide with a worked sample—not a live result.The example uses reserved test addresses and one synthetic record. This page does not read mail, inspect message content, query DNS, or change policy.

1. Collect a bounded reporting window

Choose a known date range and retain original filenames, receipt time, reporter, compressed hash, expanded hash, and policy domain. Do not mix months of files into one unreviewable batch. If an archive expands beyond the stated browser limits, split it before analysis rather than weakening the guardrail.

2. Fail closed before aggregation

  1. Reject malformed XML, document type/entity declarations, unsupported files, and expanded-size excess.
  2. Parse report ID, reporter, policy, date range, record count, source, disposition, and authentication/alignment evidence.
  3. Exclude exact duplicates using report identity and payload evidence.
  4. Keep overlapping windows visible. Do not silently add overlapping counts as if they were independent.
  5. If any material file fails, mark the batch incomplete rather than replacing it with sample data.

3. Classify with human-owned context

Expected

A known service with an accountable owner and documented DKIM/SPF alignment path. A passing result is evidence for this supplied window, not permanent authorization.

Unknown

Material volume without a confirmed owner. Investigate contracts, sending domains, selectors, envelope-from, and internal system ownership.

Ignore

A reviewer chooses not to remediate a source for a documented reason. Keep the decision and expiry visible.

Blocked input

Parser or archive safety failed. Resolve input integrity before interpreting any trend or policy readiness.

4. Avoid misleading conclusions

  • IP equals vendor: address ownership and sending authorization are different facts.
  • SPF pass equals DMARC pass: DMARC requires alignment with the visible From domain through SPF or DKIM.
  • One reporter equals global mail flow: supplied aggregate reports can be incomplete.
  • High pass rate means enforce now: small but important unknown streams can still break under quarantine or reject.

5. Reproduce both sides of the worked sample

shasum -a 256 \
  app/fixtures/flagship-editorial-20260713/dmarc/pass.xml \
  app/fixtures/flagship-editorial-20260713/dmarc/blocked-doctype.xml

pass.xml5897bf1ffeb488e0ee35fdd9e06c33f80be58fe180028b82017832966259924b

blocked-doctype.xml7993a02e313748dfabcd2e2034c87bb917a5b08758c24a1b3f2d260f69efe52e

The first file should contribute one synthetic 25-message record; the second should be rejected before aggregation. Use the canonical tool to obtain the actual parser verdict and receipt.

6. Remediate and move policy deliberately

FindingEvidence to gatherTypical next step
Expected source, alignment passOwner, selector/envelope domain, sending purposeKeep monitoring; document dependency
Expected source, alignment failDKIM domain, SPF domain, visible From, vendor configurationCorrect alignment before enforcement
Unknown material sourceVolume, dates, reverse/ownership context, business ownerIdentify, authorize and align—or retire
Incomplete or overlapping batchFile inventory, hashes, report IDs, time windowsRepair evidence before policy decision

Increase enforcement only through an approved change with rollback ownership and post-change monitoring. The tool cannot decide the organization’s acceptable mail-loss risk.

Method, limits, and privacy

Method: bounded ingest, fail-closed parsing, deduplication, explicit classification, remediation, and staged policy review. Limits: no DNS changes, message-content inspection, ownership inference, or deliverability guarantee. Privacy: source IPs and authentication identifiers may be sensitive; process them only on a trusted device under an approved handling policy.

Official sources

Correction channel

Send source, workflow, parser-boundary, or fixture corrections to [email protected] with the exact statement and evidence. FastTool is the accountable publisher; material corrections are recorded in the changelog. Reviewed 2026-07-13.