[REVIEW] email-security: add DMARC aggregate-report drift gates
Skill Being Reviewed
Skill name: email-security
Skill path: skills/network-security/email-security/
False Positive Analysis
The skill should not flag a domain as broken just because DMARC aggregate reports contain failures. Some failures are expected during forwarding, third-party sends, list expansion, and staged SPF/DKIM onboarding. The review should separate normal aggregate-report noise from unauthorized or misconfigured sending paths.
Benign example:
domain=example.com
policy=p=quarantine; pct=25
source=known-marketing-provider
alignment=dkim relaxed pass
failure_reason=forwarded mail SPF fail only
report_volume=stable low baseline
That is deployment telemetry, not proof of domain spoofing by itself.
Coverage Gaps
An email-security review can miss real exposure if it checks only DNS records and ignores aggregate-report drift over time.
Missed variant 1: a new cloud mail source starts sending without DKIM alignment, but static DNS still looks acceptable.
Missed variant 2: pct remains below 100 after rollout, so spoofing attempts continue to land while reports show persistent failure clusters.
Missed variant 3: subdomains use different sending providers, but aggregate reports are reviewed only for the organizational domain.
Edge Cases
- Forwarders and mailing lists can create SPF failure noise while DKIM alignment still protects the message.
- Vendors may rotate envelope domains or selector names without change-control tickets.
- Report processors can silently stop ingesting XML, making the dashboard appear clean.
Remediation Quality
- Add gates for aggregate-report ingestion health, source inventory matching, DKIM/SPF alignment trend checks,
pct rollout completion, and subdomain coverage.
- Require weekly drift review for new sources, changed selectors, and persistent unauthenticated volume.
- Require exception records for approved forwarders and known third-party senders, with owner and expiry.
Comparison to Other Tools
DNS scanners show declared policy, but aggregate reports show what receivers actually see. The review should use both: DNS state for configuration intent and report trends for real-world drift.
Overall Assessment
The email-security skill should include DMARC aggregate-report drift because static record checks miss unauthorized senders, stalled enforcement, and broken report ingestion. These gates make the review more actionable and reduce false positives from normal forwarding behavior.
Bounty Info
[REVIEW] email-security: add DMARC aggregate-report drift gates
Skill Being Reviewed
Skill name:
email-securitySkill path:
skills/network-security/email-security/False Positive Analysis
The skill should not flag a domain as broken just because DMARC aggregate reports contain failures. Some failures are expected during forwarding, third-party sends, list expansion, and staged SPF/DKIM onboarding. The review should separate normal aggregate-report noise from unauthorized or misconfigured sending paths.
Benign example:
That is deployment telemetry, not proof of domain spoofing by itself.
Coverage Gaps
An email-security review can miss real exposure if it checks only DNS records and ignores aggregate-report drift over time.
Missed variant 1: a new cloud mail source starts sending without DKIM alignment, but static DNS still looks acceptable.
Missed variant 2:
pctremains below 100 after rollout, so spoofing attempts continue to land while reports show persistent failure clusters.Missed variant 3: subdomains use different sending providers, but aggregate reports are reviewed only for the organizational domain.
Edge Cases
Remediation Quality
pctrollout completion, and subdomain coverage.Comparison to Other Tools
DNS scanners show declared policy, but aggregate reports show what receivers actually see. The review should use both: DNS state for configuration intent and report trends for real-world drift.
Overall Assessment
The email-security skill should include DMARC aggregate-report drift because static record checks miss unauthorized senders, stalled enforcement, and broken report ingestion. These gates make the review more actionable and reduce false positives from normal forwarding behavior.
Bounty Info
CONTRIBUTING.mdbounty terms.samik4184@gmail.com$25if accepted