Original lab ยท Email authentication
Can a DMARC triage pass accept a bounded report and fail closed on risky XML?
The success fixture contains one synthetic aligned record and 25 messages. The failure fixture adds a document type and entity declaration, which the FastTool parser contract rejects before report analysis.
Question and expected behavior
Bounded report
The XML has one report ID, one record, count 25, relaxed alignment, policy quarantine, and passing DKIM/SPF evaluation. The source address is from TEST-NET-1.
Blocked declaration
The second XML contains DOCTYPE and an entity. It is intentionally incomplete as a report and should be rejected without substituting sample data.
Method
- Hash compressed and expanded input bytes before aggregation.
- Reject unsupported containers, size/depth excess, malformed XML, and document type/entity declarations.
- Parse report identity, policy, time window, source, counts, alignment, disposition, and authentication results.
- Deduplicate exact report identities and payloads; keep overlapping windows visible for review.
- Classify sources only with explicit local reviewer labels. Do not infer organizational ownership from an IP address.
Fixture evidence
shasum -a 256 app/fixtures/flagship-editorial-20260713/dmarc/*.xmlpass.xml5897bf1ffeb488e0ee35fdd9e06c33f80be58fe180028b82017832966259924b
blocked-doctype.xml7993a02e313748dfabcd2e2034c87bb917a5b08758c24a1b3f2d260f69efe52e
Deterministic fixture observations
| Fixture | Records | Message count | Structural observation | Expected handling |
|---|---|---|---|---|
| pass.xml | 1 | 25 | DKIM and SPF evaluation are both pass; policy is quarantine. | Parse for reviewer triage |
| blocked-doctype.xml | 0 complete records | 0 | Contains a prohibited document type and entity declaration. | Fail closed |
The first row does not prove deliverability or complete mail flow. It only describes the one supplied report. The second row is a parser-safety expectation, not proof against every XML attack.
Limits and privacy
Limits
- Aggregate reports do not contain message content and may not cover every receiver or time window.
- The tool does not edit DNS, send mail, infer ownership, or guarantee inbox placement.
- Counts can be duplicated or overlap across reports; identity and time-window evidence must stay visible.
Privacy boundary
Aggregate reports contain source IPs and authentication identifiers that may be sensitive. Use a trusted device and approved handling policy. The canonical tool processes files in the browser, but that does not authorize use of confidential reports.
Official sources
Corrections
Send a source, parser-boundary, count, or hash correction to [email protected]. Include the URL, exact issue, evidence, and proposed change. FastTool is the accountable publisher; material changes appear in the changelog. Reviewed 2026-07-13.