/ 
Mail-DMARC-1.20260612
⭐ Starred 35 / bin/dmarc_view_reports

SYNOPSIS

dmarc_view_reports [ --option=value ]

Dumps the contents of the DMARC data store to your terminal. The most recent records are show first.

Search Options

rid          - report ID (internal database ID)
author       - report author (Yahoo! Inc, google.com, etc..)
from_dom     - message sender domain
begin        - epoch start time to display messages after
end          - epoch end time to display messages before
disposition  - DMARC disposition (none,quarantine,reject)
dkim         - DKIM alignment result (pass/fail)
spf          - SPF alignment result  (pass/fail)

limit        - limit number of reports returned (defaults to 100)
sort         - sort by: rid, author, from_domain, begin, end (append :asc or :desc)

The default sort is rid:desc (newest reports first). You can also use --sort=newest or --sort=oldest.

Prefix a value with ! to negate the match (exclude matching records). This is supported for author, from_dom, disposition, dkim, and spf. For example, --author=!google.com will exclude reports authored by google.com.

Other Options

dmarc_view_reports [ --geoip --dns --help --verbose ]

  geoip        - do GeoIP lookups (requires the free Maxmind GeoCityLitev6 database).
  dns          - do reverse DNS lookups and display hostnames
  help         - print this syntax guide
  verbose      - print additional debug info

EXAMPLES

To view a specific report by its ID:

dmarc_view_reports --rid=560

To search for all reports from google.com that failed DMARC alignment:

dmarc_view_reports --author=google.com --dkim=fail --spf=fail

Note that we don't use --disposition. That would only tell us the result of applying DMARC policy, not necessarily if the messages failed DMARC alignment.

To exclude reports from google.com:

dmarc_view_reports --author=!google.com

To exclude rows with a specific disposition:

dmarc_view_reports --disposition=!none

To show only the newest 50 reports:

dmarc_view_reports --limit=50

To view oldest reports first:

dmarc_view_reports --sort=oldest

To display GeoIP lookup data for the source ip:

dmarc_view_reports --geoip

By default; city, country_code & continent_code are shown. You can optionally pass a comma delimited string to --geoip= with any of the following fields:

country_code country_code3 country_name region region_name city postal_code latitude longitude time_zone area_code continent_code metro_code

dmarc_view_reports --geoip=country_name,continent_code
dmarc_view_reports --geoip=continent_code,country_name # keep order
dmarc_view_reports --geoip=city,city,city              # repeat

SAMPLE OUTPUT

ID  Author            Report-Start
 | -- Qty From                                         IP             Disposition DKIM SPF

570  theartfarm.com   2013-05-20 09:40:50
 | --   1 simerson.net                                 75.126.200.152 quarantine  fail fail

568  yeah.net         2013-05-21 09:00:00
 | --   1 tnpi.net                                     111.176.77.138 reject      fail fail

565  google.com       2013-05-20 17:00:00
 | --  88 mesick.us                                    208.75.177.101 none        pass pass

563  google.com       2013-05-20 17:00:00
 | --   1 lynboyer.com                                 2a00:1450:4010:c03::235 none pass fail  forwarded
 | --  12 lynboyer.com                                 208.75.177.101          none pass pass
 | --   1 lynboyer.com                                 209.85.217.174          none pass fail  forwarded

AUTHORS

  • Matt Simerson <msimerson@cpan.org>

  • Davide Migliavacca <shari@cpan.org>

  • Marc Bradshaw <marc@marcbradshaw.net>