Skip to content

Suppress --forensic reports via Reported-Domain, matching aggregate#425

Merged
thegushi merged 1 commit into
trusteddomainproject:developfrom
thegushi:feat/forensic-reported-domain-suppression
Jun 20, 2026
Merged

Suppress --forensic reports via Reported-Domain, matching aggregate#425
thegushi merged 1 commit into
trusteddomainproject:developfrom
thegushi:feat/forensic-reported-domain-suppression

Conversation

@thegushi

Copy link
Copy Markdown
Collaborator

Summary

Follow-up to #424. Bare NoReportsList domain entries already suppressed aggregate reports for a sending domain (via --skipdomains), but had no effect on forensic reports about that domain -- the manpage said so explicitly. That was the one remaining asymmetry: NoReportsList suppression was keyed only on the destination address, never on which domain actually failed DMARC.

  • Added domain_skip_reason(), shared by the aggregate domain loop and --forensic mode, checking --skipdomains/bare NoReportsList entries, StaleMARC, and the suppressions DB.
  • --forensic mode now reads the Reported-Domain field out of the AFRF message/feedback-report part and checks it before doing anything else; a suppressed domain exits with the existing EXIT_SUPPRESSED (2) code rather than composing or sending anything.
  • Updated opendmarc.conf.5.in/.sample and opendmarc-reports.8.in: a bare NoReportsList entry now suppresses both report types when ReportCommand is opendmarc-reports --forensic, but still has no effect when ReportCommand pipes directly to sendmail, since only opendmarc-reports performs the check.

Test plan

  • perl -c on reports/opendmarc-reports.in (with @Version@/@SQL_BACKEND@ substituted)
  • mandoc -Tlint on opendmarc.conf.5.in and opendmarc-reports.8.in
  • Not exercised against a live milter-generated AFRF message; Reported-Domain parsing reviewed by inspection only

…gate

Bare NoReportsList domain entries already suppressed aggregate reports
for a sending domain (via --skipdomains), but had no effect on forensic
reports about that domain -- the manpage said so explicitly. That's the
remaining asymmetry between the two opendmarc-reports delivery paths:
NoReportsList suppression was keyed only on the destination address,
never on which domain actually failed DMARC.

- Add domain_skip_reason(), shared by the aggregate domain loop and
  --forensic mode, checking --skipdomains/bare NoReportsList entries,
  StaleMARC, and the suppressions DB.
- --forensic mode now reads the Reported-Domain field out of the AFRF
  message/feedback-report part and checks it with domain_skip_reason()
  before doing anything else; a suppressed domain exits with the
  existing EXIT_SUPPRESSED (2) code rather than composing or sending
  anything.
- Update opendmarc.conf.5.in/.sample and opendmarc-reports.8.in: a bare
  NoReportsList entry now suppresses both report types when
  ReportCommand is opendmarc-reports --forensic, but still has no effect
  when ReportCommand pipes directly to sendmail, since only
  opendmarc-reports performs the Reported-Domain check.
@thegushi thegushi merged commit 479cb20 into trusteddomainproject:develop Jun 20, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant