{"id":28000385,"url":"https://github.com/swedishmike/dmarcparser","last_synced_at":"2025-05-08T23:17:04.477Z","repository":{"id":291762809,"uuid":"72610324","full_name":"swedishmike/dmarcparser","owner":"swedishmike","description":"A quick and dirty implementation to get DMARC reports into Splunk for further analysis","archived":false,"fork":false,"pushed_at":"2019-03-25T16:22:17.000Z","size":142,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-05-08T23:16:40.387Z","etag":null,"topics":["dmarc","dmarc-reports","email","python","security","spam-prevention","splunk","splunk-sdk"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/swedishmike.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2016-11-02T06:23:58.000Z","updated_at":"2021-04-06T09:15:20.000Z","dependencies_parsed_at":"2025-05-06T12:50:53.121Z","dependency_job_id":"00960e77-36f2-447b-a30f-a9ecf0b727e3","html_url":"https://github.com/swedishmike/dmarcparser","commit_stats":null,"previous_names":["swedishmike/dmarcparser"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swedishmike%2Fdmarcparser","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swedishmike%2Fdmarcparser/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swedishmike%2Fdmarcparser/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swedishmike%2Fdmarcparser/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/swedishmike","download_url":"https://codeload.github.com/swedishmike/dmarcparser/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253160748,"owners_count":21863631,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dmarc","dmarc-reports","email","python","security","spam-prevention","splunk","splunk-sdk"],"created_at":"2025-05-08T23:16:51.084Z","updated_at":"2025-05-08T23:17:01.122Z","avatar_url":"https://github.com/swedishmike.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# dmarcparser\nA quick and dirty implementation to get DMARC rua reports into Splunk for further analysis\n\nReads the emails from IMAP, transmogrifies the data and outputs it into Splunk. Simples.\n\n## Requirements\n\n* Python 2.7 (Since the Splunk SDK does not support Python 3 yet)\n* Splunk SDK.\n* A Splunk installation that can accept conncections via the SDK.\n* A IMAP server that accepts connections on port 993 for secure connections.\n* You will of course also need a dmarc record defined in your dns zone. If you don't know how to do that - Google is \nyour friend. ;-) You can also have a look here: https://dmarc.org \n\n## Installation and configuration\n\n### Installation\n- Clone this repo onto your host\n- Change directory into the program directory and run `pip install -r requirements.txt`\n\nYou can of course run this manually but I find that running it automagically is the best way. One way of accomplishing\nthis on Linux/Unix is as follows:\n - Create a file called `dmarcparser.sh` in the same directory as the `dmarcparser.py` file.\n - Edit that file to contain something like this:\n~~~~\n #!/bin/sh\n python2.7 dmarcparser.py\n~~~~\n - Once the file is created and saved, make sure to run `chmod +x dmarcparser.sh` to make sure that it is executable.\n - Then, as a user that have access to the dmarcparser directory and also can create and run crontab entries execute\n `crontab -e` and add a line looking something like this, of course adjusted to suit your host/directories etc:\n~~~~\n0 * * * * /home/user/Projects/dmarcparser/dmarcparser.sh\n~~~~\n - The line above executes the script on the hour, every hour. As always, mileage may vary so you might have to adjust\n these things to suit your system. At least it should give you an idea of what you can do to get it scheduled.\n \n### Configuration\n\nCopy the `dmarcparser.ini.original` file to `dmarcparser.ini` and edit the following settings to suit your environment.\n\n~~~~\n[Splunk Config]\nSplunkHost =\nSplunkPort =\nSplunkUser =\nSplunkPassword =\nSplunkIndex =\n~~~~\n\n~~~~\n[Imap Config]\nImapServer =\nImapUser =\nImapPassword =\nDeleteEmails = No\n~~~~\n\nThese settings should be pretty self explanatory. If you change the 'DeleteEmails' setting to Yes the program will\ndelete the emails once they are processed. One way of keeping the Exchange mailbox in good shape. \n\n### Splunk examples\n\nThis is an example of a Splunk search that gives you a breakdown per domain over total amount of reported emails, number of failed ones and a failure percentage.\n\n~~~~\nindex=dmarc sourcetype=dmarc_rua header_from=* \n| stats count(header_from) as total by header_from \n| append[search index=dmarc sourcetype=dmarc_rua (dkim_test!=pass AND spf_test!=pass) | stats count(header_from) as failed by header_from] \n| stats first(*) as * by header_from\n| eval failurerate=round(((failed/total)*100),2).\"%\"\n| table header_from total failed failurerate \n| sort - failurerate, total\n| rename header_from as Domain, total as \"Total number of emails\", failed as \"Number of failed emails\", failurerate as \"Failure rate\" \n| fillnull\n~~~~\n\nI have also added a file called [dmarc_rua_report.xml](dmarc_rua_report.xml) which gives you a Dashboard with this search as well as one breaking down failures per IP on a specific domain. \n\nExample:\n\n![alt-text](dmarc_rua_report.png \"Screenshot of an example report\") \n\n## Troubleshooting\n\nBy default the program logs errors and informational entries into the file `dmarcparser.log`. Review this one to try and find out why things are not working as expected.\n \nIf you need even more logging, edit the file `modules/logconfig.py` and in the snippet below, change the level from `INFO` to `DEBUG`.  \n\n~~~~\n        'loggers': {\n            '': {\n                'handlers': ['file'],\n                'level': 'INFO',\n                'propagate': True\n            }\n~~~~\n\n## Known issues\n\n### Incorrect XML\nSome implementations seems to have incorrect XML syntax in them, which is not liked by the XML parser I'm using. There\nmight be a way around this but I really can't be bothered to spend too much time on it. Each one of these will be caught\nby an exception and logged like this instead:\n\n~~~~\n2016-11-14 17:06:38,296 [ERROR] (parse_report): Error opening and parsing unpacked/emailgate.se!domain.com!1478646000!1478732400.xml. Most likely malformed XML.\n~~~~\n\n### Missing DKIM or SPF result entry\nSome implementations seems to not include both the `Policy evaluated/dkim` and `Policy evaluated/spf` records. If that\nis the case the value `Missing` is added in instead of the program crashing out and/or leaving it empty.\n\n\n\nFor any other problems or bugs - open an issue here on Github and I'll try to assist. Pull requests are of course also very welcome.\n###### Disclaimer: This program does not come with any guarantees that it will actually work. Best efforts will be made to make it work as well as possible though.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fswedishmike%2Fdmarcparser","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fswedishmike%2Fdmarcparser","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fswedishmike%2Fdmarcparser/lists"}