Mailcow-dockerized: Send DMARC reports

We validate DMARC via Rspamd instead of via OpenDMARC. We don‘t currently have a report parser, but that is a long-standing feature request (#1341). Sending reports hasn‘t been requested so far I think.

@mkuron Thank you very much for the reply. I have found Rspamd also has a aggregate reporting feature. Please have a look in https://rspamd.com/doc/modules/dmarc.html.

Is there anyway we can generate and send aggregate reports from mailcow via Rspamd or please let me know any other possibilities to do it.

Rspamd is storing all dmarc details in redis database. Aggregate reporting is a must feature if we are running a own mail server. Daily basis I have been receiving aggregate reports from other mail servers but I couldn't send any yet :(

thank you.
cheers

Aggregate reporting is a must feature

DMARC reporting is not mandatory in the standard as far as I can tell. Many mail servers don't appear to use it (I've only seen reports from Google, Yahoo and Microsoft so far).

Is there anyway we can generate and send aggregate reports from mailcow via Rspamd

It could be enabled as described in https://rspamd.com/doc/modules/dmarc.html quite easily. I don't think we should enable it by default though; sending automated messages of any kind (even if they are recommended by an RFC standard) always comes with the danger of getting yourself added to a spam blacklist by an overzealous mail server.

@mkuron Hi thank you very much for the reply and advice. I don't won't my mail server to be blacklisted. So if it not a must feature then I can simply avoid it.

cheers

@mkuron thanks for info, it really useful. And it not hard to implement. I doesn't know that Rspamd can generate such reports in such easy way. It interesting to play with it, and I will do it when have time. There option to override email for report to check how it work before enabling it in production.

MTA administrator can get such reports simply to himself to check how many emails he get and from where and how many mail he get with broken DKIM policy. For monitoring reports from opensource projects best from I find https://github.com/domainaware/parsedmarc and created dockerized env for own use, host it on dedicated little VM https://github.com/dragoangel/parsedmarc-dockerized

For all time I saw reports from:
Google, Yahoo, Mail.ru, Comcast.net, o2.pl, seznam.cz, Fastmail, kaspi.kz
But still answer on percentage of servers: yes it really low. Still if everyone will think that reporting not needed to avoid "blacklisting" then what point in reporting at all? I think in other way from yours, from my point of view mostly MTA get ban not for one mail per day =D, they get ban for many non valid users mailing, for big amount of mail when they not send such mail regularly and so on. And even sending one report per day to MTA that request it can avoid in future graylisting for people2people emails. I saw really annoying greylisting from many MTA, specially from Yahoo when you not send them mail one per day or more. They wait more then 3 hours before say 200 OK. This of course only my view of situation.

It does not work as workaround for greylisting. Sending to system addresses will always skip any filtering (or most). This is not an argument to implement it, even if it worked for yahoo. Just wait 2 minutes for your first mail to be delivered to yahoo. (Just to clarify: that's not a mailcow issue at all). I'm not even sure they do greylisting for all mail. I have never seen yahoo mail queued for retry. Could be wrong though.

Offtopic
@andryyy you don't understand, I don't say that graylisting in any way mailcow issue o_O. I don't say that it in 100% workaround graylisting, but it potentially can, for example I enabled skip RspamD only for postmaster@* and that all, so in case someone will send me DKIM report he will pass graylist =D due [email protected] is alias with normal spam filtering. All other system emails is rejecting spam and message for error say write to [email protected] in any case. And I say it as counter argument that sending DMARC report will not trigger to get in DNSBL, I hardly believe in this.

Simply not related to issue at all: yahoo graylisting
I even write them multiply times to fix this issue for list of my domains:IPs, and even after answer from them, "they changed something" - still issue reproduce but more rare. When one domain not send them mail more then n-days new one can really stay in mail queue for more than 3 hours with 4.2.1 status code.

sending DMARC report will not trigger to get in DNSBL, I hardly believe in this

In theory, it should not — the mailbox receiving DMARC reports should never be spam filtered, graylisted, or used for training a blacklist. But I‘ve seen too many misconfigured mail servers that I wouldn‘t be surprised if some did precisely that. And I don‘t think it‘s worth risking your server‘s reputation for sending DMARC reports which are of rather limited use.

yahoo graylisting
I even write them multiply times to fix this issue for list of my domains:IPs, and even after answer from them

That‘s an issue completely separate from DMARC. And nothing Mailcow can fix.