Original lab ยท Email authentication

Can a DMARC triage pass accept a bounded report and fail closed on risky XML?

The success fixture contains one synthetic aligned record and 25 messages. The failure fixture adds a document type and entity declaration, which the FastTool parser contract rejects before report analysis.

Worked sample, not a live result.These are fixture-level observations, not a current mailbox, DNS, deliverability, or workbench result. No real source IP, organization, or message is represented.

Question and expected behavior

Bounded report

The XML has one report ID, one record, count 25, relaxed alignment, policy quarantine, and passing DKIM/SPF evaluation. The source address is from TEST-NET-1.

Blocked declaration

The second XML contains DOCTYPE and an entity. It is intentionally incomplete as a report and should be rejected without substituting sample data.

Method

  1. Hash compressed and expanded input bytes before aggregation.
  2. Reject unsupported containers, size/depth excess, malformed XML, and document type/entity declarations.
  3. Parse report identity, policy, time window, source, counts, alignment, disposition, and authentication results.
  4. Deduplicate exact report identities and payloads; keep overlapping windows visible for review.
  5. Classify sources only with explicit local reviewer labels. Do not infer organizational ownership from an IP address.

Fixture evidence

shasum -a 256 app/fixtures/flagship-editorial-20260713/dmarc/*.xml

pass.xml5897bf1ffeb488e0ee35fdd9e06c33f80be58fe180028b82017832966259924b

blocked-doctype.xml7993a02e313748dfabcd2e2034c87bb917a5b08758c24a1b3f2d260f69efe52e

Deterministic fixture observations

FixtureRecordsMessage countStructural observationExpected handling
pass.xml125DKIM and SPF evaluation are both pass; policy is quarantine.Parse for reviewer triage
blocked-doctype.xml0 complete records0Contains a prohibited document type and entity declaration.Fail closed

The first row does not prove deliverability or complete mail flow. It only describes the one supplied report. The second row is a parser-safety expectation, not proof against every XML attack.

Limits and privacy

Limits

  • Aggregate reports do not contain message content and may not cover every receiver or time window.
  • The tool does not edit DNS, send mail, infer ownership, or guarantee inbox placement.
  • Counts can be duplicated or overlap across reports; identity and time-window evidence must stay visible.

Privacy boundary

Aggregate reports contain source IPs and authentication identifiers that may be sensitive. Use a trusted device and approved handling policy. The canonical tool processes files in the browser, but that does not authorize use of confidential reports.

Official sources

Corrections

Send a source, parser-boundary, count, or hash correction to [email protected]. Include the URL, exact issue, evidence, and proposed change. FastTool is the accountable publisher; material changes appear in the changelog. Reviewed 2026-07-13.