Today I produced the following script, that receives as input an email containing a DMARC XML report as an attachment, extracts the attachment, decompresses it, and queries the report to see if there are failures coming from any of the IPs that I use to send mail (ignoring those I don’t use/control), and sends an error message and the decompressed file to a room on my Matrix server for any failures it finds.
#!/bin/bash
TMP=$(mktemp -d)
SOURCE_IPS=$(host mail.koehn.com | grep address | awk '{print "\""$(NF)"\","}' | tr '\n' ' ' | sed 's/, $//')
cd "$TMP" || exit 1
function cleanup {
rm -rf "$TMP"
}
trap cleanup EXIT
FILES=$(munpack -f 2>/dev/null | awk '{print $1}')
for file in $FILES ; do
if 7z e -so "$file" | xidel --data - --xquery './/row[source_ip=('"$SOURCE_IPS"') and (policy_evaluated/dkim="fail" or policy_evaluated/spf="fail")]' 2> >(grep -v "Processing: stdin") | grep . ; then
mc -m "🔴 Received DMARC report containing failures: $file"
mc -f "$file"
fi
done