mirror of
https://github.com/domainaware/parsedmarc.git
synced 2026-05-07 04:25:25 +00:00
Sean Whalen
ddf962e151
When a domain's homepage redirects to a different host *for the same operator* (acquisition target's site, or a TLD/subdomain variant), PTR reverse-DNS reports observed in the wild may reference either domain. Mapping only the original loses attribution for the redirect target. Adds 91 aliases discovered during the previous bulk PR's classification work — every redirect target where the original was newly mapped, the target wasn't already in the map, and the target was the same operator (not a sister brand and not a placeholder/bot/parking page). Notable examples: apogee.us + boldyn.com both -> Boldyn ISP; sungardas.com + 1111systems.com both -> 11:11 Systems MSP; vodafone.is + syn.is both -> Sýn ISP; sendinblue.com + brevo.com both -> Brevo (Sendinblue) Marketing; tigo.com + millicom.com both -> Tigo ISP; rockwellcollins.com + collinsaerospace.com both -> Collins Aerospace Defense. Codifies the alias-target practice as a new paragraph under AGENTS.md step 6 (the homepage-redirect disambiguation rule). Key guardrails: - Alias only for case 1 (acquisition) and case 3 (TLD variant). Do NOT alias for case 2 (sister brand / shared infra) -- aliasing the redirect target there mis-attributes the redirect target's email. Cited example: do not alias ziggo.nl to UPC after the chello.sk fix. - Skip generic-placeholder, bot-management, and TLD/eTLD redirect targets (example.com, perfdrive.com, umbler.com, co.uk, com.br...). - When in doubt, drop the alias rather than commit it. A missing alias is recoverable; a wrong one mis-attributes mail. Also fixes four canonical-naming inconsistencies surfaced during the brand-mismatch sweep, aligning recent additions to pre-existing entries: - ga.gov: "Georgia Government" -> "State of Georgia" (matches existing georgia.gov) - goco.ca, radiant.net: "Telus" -> "TELUS" (matches existing telus.com) - vee.com.tw: "VeeTime" -> "VeeTIME" (matches existing veetime.com) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
parsedmarc
parsedmarc is a Python module and CLI utility for parsing DMARC
reports. When used with Elasticsearch and Kibana (or Splunk), it works
as a self-hosted open-source alternative to commercial DMARC report
processing services such as Agari Brand Protection, Dmarcian, OnDMARC,
ProofPoint Email Fraud Defense, and Valimail.
Note
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication protocol.
Sponsors
This is a project is maintained by one developer. Please consider sponsoring my work if you or your organization benefit from it.
Features
- Parses draft and 1.0 standard aggregate/rua DMARC reports
- Parses forensic/failure/ruf DMARC reports
- Parses reports from SMTP TLS Reporting
- Can parse reports from an inbox over IMAP, Microsoft Graph, or Gmail API
- Transparently handles gzip or zip compressed reports
- Consistent data structures
- Simple JSON and/or CSV output
- Optionally email the results
- Optionally send the results to Elasticsearch, Opensearch, and/or Splunk, for use with premade dashboards
- Optionally send reports to Apache Kafka
Python Compatibility
This project supports the following Python versions, which are either actively maintained or are the default versions for RHEL or Debian.
| Version | Supported | Reason |
|---|---|---|
| < 3.6 | ❌ | End of Life (EOL) |
| 3.6 | ❌ | Used in RHEL 8, but not supported by project dependencies |
| 3.7 | ❌ | End of Life (EOL) |
| 3.8 | ❌ | End of Life (EOL) |
| 3.9 | ❌ | Used in Debian 11 and RHEL 9, but not supported by project dependencies |
| 3.10 | ✅ | Actively maintained |
| 3.11 | ✅ | Actively maintained; supported until June 2028 (Debian 12) |
| 3.12 | ✅ | Actively maintained; supported until May 2035 (RHEL 10) |
| 3.13 | ✅ | Actively maintained; supported until June 2030 (Debian 13) |
| 3.14 | ✅ | Supported (requires imapclient>=3.1.0) |