[Feature Request] Filter to show only Auth Fails

[nikilase]

I am running a Mailcow instance and hence use the watchdog@MAILCOW_HOSTNAME (so in my case watchdog@mail.mydomain.com) as the watchdog from email.

As per their documentation I added the SPF and DMARC Record for mail.mydomain.com which means a DMARC of "v=DMARC1; p=none;" in _dmarc.MAILCOW_HOSTNAME.
This is mainly due to the emails not being DKIM signed as they are sent outside of the normal Mailcow stack.
Additionally I added my rua and ruf emails to the DMARC to monitor what happens there.

Now for my feature request.
With the above information, I get correct DMARC reports to my rua mail for this mail.mydomain.com domain.
But the dmarc report viewer shows issues with the DKIM, even though no DKIM Auth is required.
I do understand that technically the DKIM Policy check returns as a fail, as no DKIM Policy could be checked.
Still, the DKIM Auth check in DMARC did not happen, as was expected, so from my point of view this data set would indicate no real error.

As your dashboard correctly differentiates between DKIM Policy and DKIM Auth Results, i.e. filters out the RUA's where no DKIM Auth was required, wouldn't it be nice to be able to also filter by only Reports with Auth Problems, DKIM Auth Problems and SPF Auth Problems, according to the DMARC Policy that was set?

That way you could get just a bit more granularity on the reporting, and filter out "false positives".

[cry-inc]

Maybe I just have a slow day, but I cannot follow. What exactly should be filtered where by which criteria?

Also, I am bit worried about the part where you admit that you bypass DKIM intentionally and then need some special behaviour to fix your specific case. In general I want to avoid adding features for special corner cases and keep it simple.

[nikilase]

Might also be that I did not do the best job describing it.
Also apologies if I might not understand this all correctly.

I am not talking about bypassing DKIM somehow, but more about domains where DKIM might not be enabled.
Basically I get reports like the one attached where there is no <feedback>.<record>.<auth_results>.<dkim> entry due to no DKIM being used.
watchdog.txt

In your main Dashboard this gets correctly visualized, as the DKIM Policy Result is failed, but the DKIM Auth Result is empty (as expected)

But due to you using the Policy instead of Auth results in the filters and list, the above example still looks like it failed and cannot be filtered out.

I understand that for a domain where both SPF and DKIM is used, this makes sense, but not for domains where no DKIM is being used.
I have 2 examples where this (i.e. no DKIM signing) can be an expected behaviour.

1. Your mails being hosted somewhere where no DKIM signing is supported, but you still would like to enable SPF and get DMARC reports (talking about you Deutsche Telekom Homepagecenter, luckily I moved to Mailcow)
2. The Mailcow Watchdog or possibly also other Mailservers Watchdogs, needing to send mails even when the rspamd container is down (which is responsible for DKIM signing).

So basically I would just like a way to filter only by DKIM Auth Result Failures, which should not exist for the above two scenarios.
Maybe even just a filter that shows all reports with Auth failures (instead of policy failures), which would show reports where an SPF or DKIM auth failure occured, but not ones where DKIM Auth was skipped due to no DKIM DNS record being found.
I hope that this is understandable and might be an easy addition to the UI.
I see that you already check the &record.auth_results.dkim in your report_is_flagged function, but just add the result to the dkim_flagged variable, so maybe just having a dkim_auth_flagged variable to use in the filter would suffice?

Some background info regarding why I would like this.

Mailcow has a Watchdog Service which runs in its own Docker Container and can detect when Mailcow Containers have errors, for example when the postfix or rspamd container has failed.
As the Watchdog Container is running "standalone" i.e. does not really interact with the rest of the Mailcow stack other than checking their statuses, this Watchdog Container has its own really basic mailserver (well actually just an smtp client?) which can send an email alert if an error in the Mailcow Stack was detected.

Due to the above, the Watchdog Container does not use DKIM signing when sending out alerts, as it is a really basic mailserver.
They send out the alerts from watchdog@{FQDN} so most often from watchdog@mail.{mydomain.tld}.
In their documentation they describe that, a dmarc and spf record would still be advisable for mail.{mydomain.tld}, see here: https://docs.mailcow.email/post_installation/firststeps-authorize_watchdog_and_bounces/

This makes sense as it would still report if an unauthorized mailserver tried to send from that mail.{mydomain.tld} domain, due to the SPF Record.
DKIM Policy checks would fail (or just not be evaluated), as no DKIM signature or DNS record can be found.
Due to no DKIM DNS record being found, DKIM Auth checks would be skipped, hence no dkim element will be present in the <feedback>.<record>.<auth_results>.

[Klaws--]

Maybe a filter (and a pie chart, everyone loves pie!) which only show "hard fails"? In other word, where is not none?

<record>
  <row>
    <source_ip>1.2.3.4</source_ip>
    <count>1</count>
    <policy_evaluated>
      <disposition>quarantine</disposition>

My situation differs from that of nikilase, as I have both SPF and DKIM correctly implemented. I'd just love to have a view here I can see whether the shit really hit the fan.

Oh, and I'd also love to have every pie chart clickable, not just the first two ones, to take me directly to a list of emails/reports which contribute to the "piece of cake" (sector of the chart).

In any case, I love that the DMARC Report Viewer runs smoothly and reliably and is so extremly lean! Thank you very much!