Skip to content

[REVIEW] email-security: add DMARC aggregate-report drift gates #3020

Description

@stmr

[REVIEW] email-security: add DMARC aggregate-report drift gates

Skill Being Reviewed

Skill name: email-security
Skill path: skills/network-security/email-security/

False Positive Analysis

The skill should not flag a domain as broken just because DMARC aggregate reports contain failures. Some failures are expected during forwarding, third-party sends, list expansion, and staged SPF/DKIM onboarding. The review should separate normal aggregate-report noise from unauthorized or misconfigured sending paths.

Benign example:

domain=example.com
policy=p=quarantine; pct=25
source=known-marketing-provider
alignment=dkim relaxed pass
failure_reason=forwarded mail SPF fail only
report_volume=stable low baseline

That is deployment telemetry, not proof of domain spoofing by itself.

Coverage Gaps

An email-security review can miss real exposure if it checks only DNS records and ignores aggregate-report drift over time.

Missed variant 1: a new cloud mail source starts sending without DKIM alignment, but static DNS still looks acceptable.

Missed variant 2: pct remains below 100 after rollout, so spoofing attempts continue to land while reports show persistent failure clusters.

Missed variant 3: subdomains use different sending providers, but aggregate reports are reviewed only for the organizational domain.

Edge Cases

  • Forwarders and mailing lists can create SPF failure noise while DKIM alignment still protects the message.
  • Vendors may rotate envelope domains or selector names without change-control tickets.
  • Report processors can silently stop ingesting XML, making the dashboard appear clean.

Remediation Quality

  • Add gates for aggregate-report ingestion health, source inventory matching, DKIM/SPF alignment trend checks, pct rollout completion, and subdomain coverage.
  • Require weekly drift review for new sources, changed selectors, and persistent unauthenticated volume.
  • Require exception records for approved forwarders and known third-party senders, with owner and expiry.

Comparison to Other Tools

DNS scanners show declared policy, but aggregate reports show what receivers actually see. The review should use both: DNS state for configuration intent and report trends for real-world drift.

Overall Assessment

The email-security skill should include DMARC aggregate-report drift because static record checks miss unauthorized senders, stalled enforcement, and broken report ingestion. These gates make the review more actionable and reduce false positives from normal forwarding behavior.

Bounty Info

  • I have read and agree to the CONTRIBUTING.md bounty terms.
  • Preferred payment method: PayPal samik4184@gmail.com
  • Expected reviewer bounty: $25 if accepted

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions