SPF alignment

Aggregate DMARC data A summary of aggregate DMARC report data index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | rename spf_results{}.domain as envelope_domain spf_results{}.result as spf_result spf_results{}.scope as spf_scope dkim_results{}.selector as dkim_selector dkim_results{}.domain as dkim_domain dkim_results{}.result as dkim_result | fillnull value=null source_reverse_dns source_base_domain dkim_selector dkim_domain dkim_result source_type source_name | search dkim_selector=$dkim_selector$ dkim_domain=$dkim_domain$ source_type="$source_type$" source_name="$source_name$" | table * $time_range.earliest$ $time_range.latest$

SPF alignment any true false * DKIM alignment any true false * Passed DMARC any true false * Reporting organization * Message header from * Envelope from * Message disposition any none quarantine reject * Source IP address * Source reverse DNS * Source base domain * Source type * * any source_type source_type index="email" sourcetype="dmarc:aggregate" | stats count by source_type Source name * any * source_name source_name index="email" sourcetype="dmarc:aggregate" source_type="$source_type$" | stats count by source_name Source country ISO code * DKIM selector * DKIM domain * Time range -7d@h now

SPF alignment | stats sum(message_count) as message_count by spf_aligned DKIM alignment | stats sum(message_count) by dkim_aligned Passed DMARC | stats sum(message_count) by passed_dmarc Reporting organizations | stats sum(message_count) as message_count by org_name | sort -message_count

Message sources by reverse DNS | fillnull value="none" | stats sum(message_count) as message_count by source_base_domain | sort -message_count

Message volume by header from | stats sum(message_count) as message_count by header_from | sort -message_count

Message sources by name and type | stats sum(message_count) as message_count by source_name, source_type | sort -message_count

DMARC passage over time | timechart sum(message_count) as message_count by passed_dmarc Message disposition over time | timechart sum(message_count) as message_count by disposition Message volume by source country | iplocation source_ip_address | stats count by Country | geom geo_countries featureIdField="Country" Source countries | stats sum(message_count) as message_count by source_country | sort -message_count

Message sources by IP address | stats sum(message_count) as message_count by source_ip_address,source_reverse_dns,source_base_domain,source_country | sort -message_count

SPF details | stats sum(message_count) as message_count by header_from,envelope_from,spf_result,spf_aligned,source_base_domain | sort -message_count

DKIM details | stats sum(message_count) as message_count by header_from,dkim_selector,dkim_domain,dkim_result,source_base_domain | sort -message_count