Suppress --forensic reports via Reported-Domain, matching aggregate#425
Merged
thegushi merged 1 commit intoJun 20, 2026
Conversation
…gate Bare NoReportsList domain entries already suppressed aggregate reports for a sending domain (via --skipdomains), but had no effect on forensic reports about that domain -- the manpage said so explicitly. That's the remaining asymmetry between the two opendmarc-reports delivery paths: NoReportsList suppression was keyed only on the destination address, never on which domain actually failed DMARC. - Add domain_skip_reason(), shared by the aggregate domain loop and --forensic mode, checking --skipdomains/bare NoReportsList entries, StaleMARC, and the suppressions DB. - --forensic mode now reads the Reported-Domain field out of the AFRF message/feedback-report part and checks it with domain_skip_reason() before doing anything else; a suppressed domain exits with the existing EXIT_SUPPRESSED (2) code rather than composing or sending anything. - Update opendmarc.conf.5.in/.sample and opendmarc-reports.8.in: a bare NoReportsList entry now suppresses both report types when ReportCommand is opendmarc-reports --forensic, but still has no effect when ReportCommand pipes directly to sendmail, since only opendmarc-reports performs the Reported-Domain check.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #424. Bare NoReportsList domain entries already suppressed aggregate reports for a sending domain (via --skipdomains), but had no effect on forensic reports about that domain -- the manpage said so explicitly. That was the one remaining asymmetry: NoReportsList suppression was keyed only on the destination address, never on which domain actually failed DMARC.
Test plan