DMARC is an important tool in the protection of your brand and your customers. Properly implemented DMARC can prevent fraudulent emails pretending to come from you ever making it to your customers, or prevent your domains being used as part of a spoofing or phishing attack.
Being able to analyse the reports generated by mail servers who process DMARC data is important, as you can see how effective your current configuration is and how much mail (and why) is being dropped by third parties.
parsedmarc is a Python module and CLI utility for parsing DMARC reports. When used with Elasticsearch and Kibana (or Splunk), it works as a self-hosted open-source alternative to commercial DMARC report processing services such as Agari Brand Protection, Dmarcian, OnDMARC, ProofPoint Email Fraud Defense, and Valimail.
This quick guide will take you through the basics of setting up parsedmarc using Docker. We assume that you have already configured DMARC and you have a mailbox that reports are being sent to. If you’ve not got that far yet, here is a good place to start.
The inscructions here assume you are using a modern Debian derivative and that your are logged in as root. You may need to adapt these instructions for your distro/environment.
Set up your Docker environment:
You’ll need at least 1.5GB RAM (2GB is recommended) and at least 25GB disk space. Your environment will also need access to Cloudflare’s DNS service to function correctly.
apt update apt -y upgrade apt -y install vim git reboot
curl -sSL https://get.docker.com/ | CHANNEL=stable sh systemctl enable docker.service systemctl start docker.service curl -L https://github.com/docker/compose/releases/download/1.29.2/docker-compose-Linux-x86_64 > /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose
Clone our repo:
git clone https://github.com/virtualfabric/parsedmarc-dockerized.git /opt/parsedmarc-dockerized/ cd /opt/parsedmarc-dockerized/
Next, we change the parsedmarc config (see documentation – in most cases, you should only need to adjust the [imap] section to match your mail server configuration. It is recommended that you use an application password if your IMAP server supports it.
vim data/conf/parsedmarc/config.ini
Now change the environment file to contain your geoipupdate settings from your MaxMind account, to allow the container to pull the databases. For update cycles of the databases, please see here.
vim geoipupdate.env
Finally, we start up the stack and wait:
docker-compose up -d
The next bit might take a little while…
- First, containers of the stack are created and started. This might take a while, as several containers have dependencies on others being in a healthy state.
- During the startup of the parsedmarc-init container, all required steps and preparations are being taken care of – like generating a self-signed certificate for the included nginx webserver.
- Once the Kibana container – where you can view the dashboards – is ready, the corresponding parsedmarc dashboards are automatically imported into Kibana by the parsedmarc-init container.
- After a little while, when everything is up and running, you can then access Kibana and its dashboards under the shipped reverse proxy at https://HOST_IP:9999.
By default, no authentication is set up so make sure you firewall the reverse proxy in such a way that only you can access it
If you need a DMARC analysis service and you don’t want to deploy it yourself, we’d be happy to set it up and host it for you.
