Add DMARCbis report support; rename forensic→failure project-wide

Rebased on top of master @ 2cda5bf (9.9.0), which added the ASN source attribution work (#712, #713, #714, #715). Individual Copilot iteration commits squashed into this single commit — the per-commit history on the feature branch was iterative (add tests, fix lint, move field, revert, etc.) and not worth preserving; GitHub squash- merges PRs anyway. ### DMARCbis fields (new) New fields from the DMARCbis XSD, plumbed through types, parsing, CSV output, and the Elasticsearch / OpenSearch mappings: - ``np`` — non-existent subdomain policy (``none`` / ``quarantine`` / ``reject``) - ``testing`` — testing mode flag (``n`` / ``y``), replaces RFC 7489 ``pct`` - ``discovery_method`` — policy discovery method (``psl`` / ``treewalk``) - ``generator`` — report generator software identifier (metadata) - ``human_result`` — optional descriptive text on DKIM / SPF results RFC 7489 reports parse with ``None`` for DMARCbis-only fields. ### Forensic → failure rename Forensic reports have been renamed to failure reports throughout the project to reflect the proper naming since RFC 7489. - Core: ``types.py``, ``__init__.py`` — ``ForensicReport`` → ``FailureReport``, ``parse_forensic_report`` → ``parse_failure_report``, report type ``"failure"``. - Output modules: ``elastic.py``, ``opensearch.py``, ``splunk.py``, ``kafkaclient.py``, ``syslog.py``, ``gelf.py``, ``webhook.py``, ``loganalytics.py``, ``s3.py``. - CLI: ``cli.py`` — args, config keys, index names (``dmarc_failure``). - Docs + dashboards: all markdown, Grafana JSON, Kibana NDJSON, Splunk XML. Backward compatibility preserved: old function / type names remain as aliases (``parse_forensic_report = parse_failure_report``, ``ForensicReport = FailureReport``, etc.), CLI accepts both the old (``save_forensic``, ``forensic_topic``) and new (``save_failure``, ``failure_topic``) config keys, and updated dashboards query both old and new index / sourcetype names so data from before and after the rename appears together. ### Rebase notes Merge conflicts resolved in ``parsedmarc/constants.py`` (took bis's 10.0.0 bump), ``parsedmarc/__init__.py`` (combined bis's "failure" wording with master's IPinfo MMDB mention), ``parsedmarc/elastic.py`` and ``parsedmarc/opensearch.py`` (kept master's ``source_asn`` / ``source_asn_name`` / ``source_asn_domain`` on the failure doc path while renaming ``forensic_report`` → ``failure_report``), and ``CHANGELOG.md`` (10.0.0 entry now sits above the 9.9.0 entry). All 324 tests pass; ``ruff check`` / ``ruff format --check`` clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 14:35:27 +00:00 · 2026-04-23 02:26:30 -04:00
parent 2cda5bf59b
commit d7366d088f
37 changed files with 3285 additions and 474 deletions
@@ -214,7 +214,7 @@ Kibana index patterns with versions that match the upgraded indexes:

 1. Login in to Kibana, and click on Management
 2. Under Kibana, click on Saved Objects
-3. Check the checkboxes for the `dmarc_aggregate` and `dmarc_forensic`
+3. Check the checkboxes for the `dmarc_aggregate` and `dmarc_failure`
   index patterns
 4. Click Delete
 5. Click Delete on the conformation message
@@ -2,7 +2,7 @@

 [general]
 save_aggregate = True
-save_forensic = True
+save_failure = True

 [imap]
 host = imap.example.com
@@ -30,7 +30,7 @@ and Valimail.
 ## Features

 - Parses draft and 1.0 standard aggregate/rua DMARC reports
- Parses forensic/failure/ruf DMARC reports
+- Parses failure/ruf DMARC reports
 - Parses reports from SMTP TLS Reporting
 - Can parse reports from an inbox over IMAP, Microsoft Graph, or Gmail API
 - Transparently handles gzip or zip compressed reports
@@ -74,14 +74,14 @@ the DMARC Summary dashboard. To view failures only, use the pie chart.
 Any other filters work the same way. You can also add your own custom temporary
 filters by clicking on Add Filter at the upper right of the page.

-## DMARC Forensic Samples
+## DMARC Failure Samples

-The DMARC Forensic Samples dashboard contains information on DMARC forensic
-reports (also known as failure reports or ruf reports). These reports contain
+The DMARC Failure Samples dashboard contains information on DMARC failure
+reports (also known as ruf reports). These reports contain
 samples of emails that have failed to pass DMARC.

 :::{note}
-Most recipients do not send forensic/failure/ruf reports at all to avoid
+Most recipients do not send failure/ruf reports at all to avoid
 privacy leaks. Some recipients (notably Chinese webmail services) will only
 supply the headers of sample emails. Very few provide the entire email.
 :::
@@ -99,12 +99,12 @@ draft,acme.com,noreply-dmarc-support@acme.com,http://acme.com/dmarc/support,9391

 ```

-## Sample forensic report output
+## Sample failure report output

 Thanks to GitHub user [xennn](https://github.com/xennn) for the anonymized
-[forensic report email sample](<https://github.com/domainaware/parsedmarc/raw/master/samples/forensic/DMARC%20Failure%20Report%20for%20domain.de%20(mail-from%3Dsharepoint%40domain.de%2C%20ip%3D10.10.10.10).eml>).
+[failure report email sample](<https://github.com/domainaware/parsedmarc/raw/master/samples/failure/DMARC%20Failure%20Report%20for%20domain.de%20(mail-from%3Dsharepoint%40domain.de%2C%20ip%3D10.10.10.10).eml>).

-### JSON forensic report
+### JSON failure report

 ```json
 {
@@ -198,7 +198,7 @@ Thanks to GitHub user [xennn](https://github.com/xennn) for the anonymized
   }
 ```

-### CSV forensic report
+### CSV failure report

 ```text
 feedback_type,user_agent,version,original_envelope_id,original_mail_from,original_rcpt_to,arrival_date,arrival_date_utc,subject,message_id,authentication_results,dkim_domain,source_ip_address,source_country,source_reverse_dns,source_base_domain,source_name,source_type,source_asn,source_asn_name,source_asn_domain,delivery_result,auth_failure,reported_domain,authentication_mechanisms,sample_headers_only
@@ -1,10 +1,10 @@
 # Splunk

 Starting in version 4.3.0 `parsedmarc` supports sending aggregate and/or
-forensic DMARC data to a Splunk [HTTP Event collector (HEC)].
+failure DMARC data to a Splunk [HTTP Event collector (HEC)].

 The project repository contains [XML files] for premade Splunk
-dashboards for aggregate and forensic DMARC reports.
+dashboards for aggregate and failure DMARC reports.

 Copy and paste the contents of each file into a separate Splunk
 dashboard XML editor.
@@ -4,9 +4,9 @@

 ```text
 usage: parsedmarc [-h] [-c CONFIG_FILE] [--strip-attachment-payloads] [-o OUTPUT]
-                  [--aggregate-json-filename AGGREGATE_JSON_FILENAME] [--forensic-json-filename FORENSIC_JSON_FILENAME]
+                  [--aggregate-json-filename AGGREGATE_JSON_FILENAME] [--failure-json-filename FAILURE_JSON_FILENAME]
                  [--smtp-tls-json-filename SMTP_TLS_JSON_FILENAME] [--aggregate-csv-filename AGGREGATE_CSV_FILENAME]
-                  [--forensic-csv-filename FORENSIC_CSV_FILENAME] [--smtp-tls-csv-filename SMTP_TLS_CSV_FILENAME]
+                  [--failure-csv-filename FAILURE_CSV_FILENAME] [--smtp-tls-csv-filename SMTP_TLS_CSV_FILENAME]
                  [-n NAMESERVERS [NAMESERVERS ...]] [-t DNS_TIMEOUT] [--offline] [-s] [-w] [--verbose] [--debug]
                  [--log-file LOG_FILE] [--no-prettify-json] [-v]
                  [file_path ...]
@@ -14,26 +14,26 @@ usage: parsedmarc [-h] [-c CONFIG_FILE] [--strip-attachment-payloads] [-o OUTPUT
 Parses DMARC reports

 positional arguments:
-  file_path             one or more paths to aggregate or forensic report files, emails, or mbox files'
+  file_path             one or more paths to aggregate or failure report files, emails, or mbox files'

 options:
  -h, --help            show this help message and exit
  -c CONFIG_FILE, --config-file CONFIG_FILE
                        a path to a configuration file (--silent implied)
  --strip-attachment-payloads
-                        remove attachment payloads from forensic report output
+                        remove attachment payloads from failure report output
  -o OUTPUT, --output OUTPUT
                        write output files to the given directory
  --aggregate-json-filename AGGREGATE_JSON_FILENAME
                        filename for the aggregate JSON output file
-  --forensic-json-filename FORENSIC_JSON_FILENAME
-                        filename for the forensic JSON output file
+  --failure-json-filename FAILURE_JSON_FILENAME
+                        filename for the failure JSON output file
  --smtp-tls-json-filename SMTP_TLS_JSON_FILENAME
                        filename for the SMTP TLS JSON output file
  --aggregate-csv-filename AGGREGATE_CSV_FILENAME
                        filename for the aggregate CSV output file
-  --forensic-csv-filename FORENSIC_CSV_FILENAME
-                        filename for the forensic CSV output file
+  --failure-csv-filename FAILURE_CSV_FILENAME
+                        filename for the failure CSV output file
  --smtp-tls-csv-filename SMTP_TLS_CSV_FILENAME
                        filename for the SMTP TLS CSV output file
  -n NAMESERVERS [NAMESERVERS ...], --nameservers NAMESERVERS [NAMESERVERS ...]
@@ -70,7 +70,7 @@ For example

 [general]
 save_aggregate = True
-save_forensic = True
+save_failure = True

 [imap]
 host = imap.example.com
@@ -109,7 +109,7 @@ mode = tcp

 [webhook]
 aggregate_url = https://aggregate_url.example.com
-forensic_url = https://forensic_url.example.com
+failure_url = https://failure_url.example.com
 smtp_tls_url = https://smtp_tls_url.example.com
 timeout = 60
 ```
@@ -119,7 +119,7 @@ The full set of configuration options are:
 - `general`
  - `save_aggregate` - bool: Save aggregate report data to
      Elasticsearch, Splunk and/or S3
-  - `save_forensic` - bool: Save forensic report data to
+  - `save_failure` - bool: Save failure report data to
      Elasticsearch, Splunk and/or S3
  - `save_smtp_tls` - bool: Save SMTP-STS report data to
      Elasticsearch, Splunk and/or S3
@@ -130,7 +130,7 @@ The full set of configuration options are:
  - `output` - str: Directory to place JSON and CSV files in.  This is required if you set either of the JSON output file options.
  - `aggregate_json_filename` - str: filename for the aggregate
      JSON output file
-  - `forensic_json_filename` - str: filename for the forensic
+  - `failure_json_filename` - str: filename for the failure
      JSON output file
  - `ip_db_path` - str: An optional custom path to a MMDB file
      from IPinfo, MaxMind, or DBIP
@@ -331,7 +331,7 @@ The full set of configuration options are:
  - `skip_certificate_verification` - bool: Skip certificate
    verification (not recommended)
  - `aggregate_topic` - str: The Kafka topic for aggregate reports
-  - `forensic_topic` - str: The Kafka topic for forensic reports
+  - `failure_topic` - str: The Kafka topic for failure reports
 - `smtp`
  - `host` - str: The SMTP hostname
  - `port` - int: The SMTP port (Default: `25`)
@@ -449,7 +449,7 @@ The full set of configuration options are:
  - `dce` - str: The Data Collection Endpoint (DCE). Example: `https://{DCE-NAME}.{REGION}.ingest.monitor.azure.com`.
  - `dcr_immutable_id` - str: The immutable ID of the Data Collection Rule (DCR)
  - `dcr_aggregate_stream` - str: The stream name for aggregate reports in the DCR
-  - `dcr_forensic_stream` - str: The stream name for the forensic reports in the DCR
+  - `dcr_failure_stream` - str: The stream name for the failure reports in the DCR
  - `dcr_smtp_tls_stream` - str: The stream name for the SMTP TLS reports in the DCR

  :::{note}
@@ -466,7 +466,7 @@ The full set of configuration options are:

 - `webhook` - Post the individual reports to a webhook url with the report as the JSON body
  - `aggregate_url` - str: URL of the webhook which should receive the aggregate reports
-  - `forensic_url` - str: URL of the webhook which should receive the forensic reports
+  - `failure_url` - str: URL of the webhook which should receive the failure reports
  - `smtp_tls_url` - str: URL of the webhook which should receive the smtp_tls reports
  - `timeout` - int: Interval in which the webhook call should timeout

@@ -481,26 +481,26 @@ blocks DNS requests to outside resolvers.
 :::

 :::{note}
-`save_aggregate` and `save_forensic` are separate options
-because you may not want to save forensic reports
-(also known as failure reports) to your Elasticsearch instance,
+`save_aggregate` and `save_failure` are separate options
+because you may not want to save failure reports
+(formerly known as forensic reports) to your Elasticsearch instance,
 particularly if you are in a highly-regulated industry that
 handles sensitive data, such as healthcare or finance. If your
 legitimate outgoing email fails DMARC, it is possible
-that email may appear later in a forensic report.
+that email may appear later in a failure report.

-Forensic reports contain the original headers of an email that
+Failure reports contain the original headers of an email that
 failed a DMARC check, and sometimes may also include the
 full message body, depending on the policy of the reporting
 organization.

-Most reporting organizations do not send forensic reports of any
+Most reporting organizations do not send failure reports of any
 kind for privacy reasons. While aggregate DMARC reports are sent
-at least daily, it is normal to receive very few forensic reports.
+at least daily, it is normal to receive very few failure reports.

-An alternative approach is to still collect forensic/failure/ruf
+An alternative approach is to still collect failure/ruf
 reports in your DMARC inbox, but run `parsedmarc` with
-```save_forensic = True``` manually on a separate IMAP folder (using
+```save_failure = True``` manually on a separate IMAP folder (using
 the ```reports_folder``` option), after you have manually moved
 known samples you want to save to that folder
 (e.g. malicious samples and non-sensitive legitimate samples).