DAILY EMAIL AUTHENTICATION EVIDENCE
DMARC Aggregate Report Analyzer & Triage
Drop a batch of daily DMARC reports. See what passed, failed, duplicated or overlapped, review policy-scoped source groups, then export one evidence pack.
Reviewed 2026-07-10
SecurityONE CLEAR JOB
Turn a folder of unreadable reports into a sender decision.
HOW THE DECISION WORKS
No fake score and no automatic sender accusation.
A material source starts as Unclassified. You explicitly mark it Expected, Unknown or Ignore. A stronger blocker such as a parse failure still forces Hold. Exact duplicates are excluded; same-policy overlaps require review, while differing-policy overlaps are disclosed as possible policy-change splits.
PUBLIC METHOD · REPRODUCIBLE INPUTS
Sources, fixtures, artifacts and correction
Method: reject unsafe XML constructs, separate exact duplicates and overlapping periods, aggregate SPF/DKIM alignment without guessing IP ownership, require explicit source labels, then hash the resulting evidence packet. Input limits and the no-live-DNS boundary are visible beside the workbench.
Official sources: RFC 9989 DMARC policy, RFC 9990 aggregate reporting, and RFC 6376 DKIM.
Reproducible fixtures: valid aggregate report and blocked DOCTYPE report.
Inspect at least two artifacts: source-ledger CSV and trend SVG; the Markdown triage brief and JSON receipt expose assumptions, limits and exact hashes.
QA and accountability: run flagship-editorial-20260713, reviewed 2026-07-13. Exact report hashes are in the quality manifest. FastTool is the accountable publisher. Report a parser, source, fixture or hash error to [email protected].
COMPLETE THE EVIDENCE LOOP
Run, understand, verify
Review fail-closed XML handling and the operational path from aggregate reports to sender investigation.