Workflow guide · Email authentication
Turn DMARC aggregate files into a reviewer-owned remediation queue
The useful output is not a colorful pass-rate chart. It is a deduplicated set of material sources, explicit ownership labels, alignment evidence, and actions tied to the domain’s intended mail flow.
1. Collect a bounded reporting window
Choose a known date range and retain original filenames, receipt time, reporter, compressed hash, expanded hash, and policy domain. Do not mix months of files into one unreviewable batch. If an archive expands beyond the stated browser limits, split it before analysis rather than weakening the guardrail.
2. Fail closed before aggregation
- Reject malformed XML, document type/entity declarations, unsupported files, and expanded-size excess.
- Parse report ID, reporter, policy, date range, record count, source, disposition, and authentication/alignment evidence.
- Exclude exact duplicates using report identity and payload evidence.
- Keep overlapping windows visible. Do not silently add overlapping counts as if they were independent.
- If any material file fails, mark the batch incomplete rather than replacing it with sample data.
3. Classify with human-owned context
Expected
A known service with an accountable owner and documented DKIM/SPF alignment path. A passing result is evidence for this supplied window, not permanent authorization.
Unknown
Material volume without a confirmed owner. Investigate contracts, sending domains, selectors, envelope-from, and internal system ownership.
Ignore
A reviewer chooses not to remediate a source for a documented reason. Keep the decision and expiry visible.
Blocked input
Parser or archive safety failed. Resolve input integrity before interpreting any trend or policy readiness.
4. Avoid misleading conclusions
- IP equals vendor: address ownership and sending authorization are different facts.
- SPF pass equals DMARC pass: DMARC requires alignment with the visible From domain through SPF or DKIM.
- One reporter equals global mail flow: supplied aggregate reports can be incomplete.
- High pass rate means enforce now: small but important unknown streams can still break under quarantine or reject.
5. Reproduce both sides of the worked sample
shasum -a 256 \
app/fixtures/flagship-editorial-20260713/dmarc/pass.xml \
app/fixtures/flagship-editorial-20260713/dmarc/blocked-doctype.xmlpass.xml5897bf1ffeb488e0ee35fdd9e06c33f80be58fe180028b82017832966259924b
blocked-doctype.xml7993a02e313748dfabcd2e2034c87bb917a5b08758c24a1b3f2d260f69efe52e
The first file should contribute one synthetic 25-message record; the second should be rejected before aggregation. Use the canonical tool to obtain the actual parser verdict and receipt.
6. Remediate and move policy deliberately
| Finding | Evidence to gather | Typical next step |
|---|---|---|
| Expected source, alignment pass | Owner, selector/envelope domain, sending purpose | Keep monitoring; document dependency |
| Expected source, alignment fail | DKIM domain, SPF domain, visible From, vendor configuration | Correct alignment before enforcement |
| Unknown material source | Volume, dates, reverse/ownership context, business owner | Identify, authorize and align—or retire |
| Incomplete or overlapping batch | File inventory, hashes, report IDs, time windows | Repair evidence before policy decision |
Increase enforcement only through an approved change with rollback ownership and post-change monitoring. The tool cannot decide the organization’s acceptable mail-loss risk.
Method, limits, and privacy
Method: bounded ingest, fail-closed parsing, deduplication, explicit classification, remediation, and staged policy review. Limits: no DNS changes, message-content inspection, ownership inference, or deliverability guarantee. Privacy: source IPs and authentication identifiers may be sensitive; process them only on a trusted device under an approved handling policy.
Official sources
Correction channel
Send source, workflow, parser-boundary, or fixture corrections to [email protected] with the exact statement and evidence. FastTool is the accountable publisher; material corrections are recorded in the changelog. Reviewed 2026-07-13.