Parsedmarc is an open source linux tool that can read DMARC reports, parse the results into an RFC compliant format and then output it as JSON.
It is an excellent tool and also integrates with Splunk very nicely which is why I thought to write about it here.
The parsedmarc documentation can be found here: https://domainaware.github.io/parsedmarc/
The documentation is fairly robust but I did have some troubles initially when setting it up.

Requirements

  • Linux machine
    • You can even run this on the Windows Sub-system for linux on Windows 10 if you wish
  • Splunk
    • Doesn't matter if it is enterprise or cloud and can also be a free license (<500MB a day)
  • A DMARC record on your domain
    • With an rua & ruf section which send to a mailbox you can access/control

Installation

Installing parsedmarc is fairly simple but one thing to bare in mind is that it only works with python3.
The installation instructions should be followed from the parsedmarc documentation at the top of the page

Configuration

Once installed, the parsedmarc.ini file must be configured to be able to run. This file can be stored anywhere on the machine but the default location is the /etc/ folder. Below is a sanitised version of my parsedmarc.ini file.

[general]
save_aggregate = True
save_forensic = True
nameservers = # your ntp servers
 
[imap]
host = # your mail server
user = # your user, that has rights to the inbox where your reports are being sent
password = Enter_Password
skip_certificate_verification = True # This is required as parsedmarc will not run otherwise.
reports_folder = INBOX
 
[splunk_hec] # Splunk settings, no need to edit these
url = https://http-inputs-INSTANCE.com:443/services/collector
token = # token
index = email

A few notes about the above after some trial and error I have went through.

  • nameservers
    • The parsedmarc documentation strongly recommends you to use the default cloudflare resolvers. However if you are in an enterprise environment with DNS resolvers, then you will definitely want to use those instead.
  • skip_certificate_validation
    • I eventually had to use this setting or else I would get intermittent errors about certificates
  • splunk section
    • This only applies if you have a splunk instance you are sending the output to but it is fairly self explanatory.
    • You simply need to create an HTTP Event Collector on your instance, configure the settings like the above and you should be good to go

After installing then configuring you are ready to test.
To run parsedmarc, you just run the parsedmarc and supply the location to the .ini file.
I like to run the file with –debug when running it manually as it shows you progress and can potentially show you problematic DMARC reports it is hanging on.

parsedmarc -c /etc/parsedmarc.ini --debug

When you have verified it runs correctly, you can either set it to run as a service or you can create a cronjb to run the command every couple of hours.
Currently I simply run it as a cronjob as it is nice and easy to setup then troubleshoot if necessary.

Conclusion

Parsedmarc is an excellent tool that not many free tools can provide and the logging capability through Kibana or Splunk makes it even better.
I highly recommend giving it a shot and if you run into issues I have found the creator to be very responsive and helpful on the github repo.