Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

ES 10.0.11 - DMARC Reporting missing - nothing but Google?

BWCBWC Cybersecurity Overlord ✭✭✭

Hi,

is anyone else experiencing missing DMARC reporting? @David W

DMARC Master Detail Report is just showing Provider google.com for the last 21 days, but I know that Microsoft did send reports in the recent days as well. What happened to them?

dmarc_reports:<hostname> log directory only holds .xml files from Google.

It's not just my deployment, it affects customer deployments too.

--Michael@BWC

Category: Email Security Appliances
Reply

Answers

  • David WDavid W SonicWall Employee

    @BWC I will have to see what I can find out.

    I don;t think we have anything reported on it at the moment.

    However I do know that there are some instances where if there is anything in policy filters doing anything with compressed file types they may get missed due to being altered.

    Check and see if you have anything like that in policy filters and may need to add some exceptions to not do anything with them when the zip, GZIp file attachments are sent in. They come in as an email inbound.

    If you have a case open I can see if Gailand can do a follow up with you.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @David W thanks for checking, I'll open up a ticket and keep you posted because this is something I don't wanna attack with general Support.

    I don't have any Policies in use which are related to archives.

    The whole DMARC implementation seems to be fragile, outbound reporting does not seem to work without having an outbound Flow and 127.0.0.1 as allowed IP address in the contacting Path. This is not documented anywhere, I just saw my own reports in the Inbound Log, which did not made sense to me. After having this fixed, DMARC outbound reports are delivered properly.

    Funny thing, one of the reports send out last night was addressed to a HES Customer of mine, guess what, no DMARC report on HES either. I'll check again tomorrow, not sure how often DMARC reports will be processed.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    DMARC does not seems to be strong suit of Email Security, while waiting for the answer about the failing incoming DMARC reporting I found another flaw in outbound DMARC reports, which render them probably useless.

    The XML generated by ES is not compliant to RFC7489, it should contain a record like this:

    		<identifiers>
    			<envelope_from>xyz.de</envelope_from>
    			<header_from>xyz.de</header_from>
    		</identifiers>
    

    but instead it uses the element name identities instead identifiers which is not correct.

    Is anyone using DMARC seriously on SonicWall Email Security and not struggling with this?

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Just in case anybody cares (what I begin to doubt), I've got an update to my ticket after 2 months:

    Issue is under review by devs.
    

    I'll leave it to that and see what happens

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Another two months past, the world has changed dramatically, but no progress on DMARC. It's good to have some constants in life.

    I know, I know, devs were busy with log4j and the 2022 date dilemma. 🤬

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    7+ months in and still no visible progress, Engineering is involved and the DMARC issues should be fixed with the Release of Firmware 10.0.19 with no ETA at the moment. We'll see.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Firmware 10.0.19 got released, but the DMARC issues are not addressed according to the Release Notes, got postponed because of the recent issues I guess.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Happy anniversary 🤦‍♂️, DMARC reporting still not working but I've got word that Firmware 10.0.20 will probably fix it, ETA somewhere in the future. Provided that no other big task is consuming all the time of the huge army of developers which are actively working on ES, like a log4j update or similar.

    --Michael@BWC

Sign In or Register to comment.