received email from "mailer daemon@report domain submitter esa1.hc3329-29.iphmx" which appears to have an dmarc report xml file attached, is it a legit dmarc report ? if not correct to ask this question here please make suggestion where to find answer ?
Asked
Active
Viewed 1,760 times
1 Answers
0
As far as I know iphmx.com domain belongs to Cisco IronPort. You can perform IP address lookup for esa8.sap.c3s2.iphmx.com https://network-tools.webwiz.net/ip-information.htm
...and yes, DMARC XML reports coming from Reporter, which name ends with iphmx.com, are legitimate reports, I receive a lot of them
Zonder
- 56
- 4
-
Thanks, I don't understand why the Dmarc report would have "mailer daemon" at the beginning of the email address ? – rwww Sep 08 '19 at 03:27
-
[DMARC RFC](https://tools.ietf.org/html/rfc7489#appendix-C) does not explain exactly the purpose of email address to be specified in **email** tag. The other [DMARC related draft document](https://tools.ietf.org/html/draft-crocker-dmarc-bcp-03#section-7.1) says about *email* tag - "_The email address where a report recipient can alert the report generator to problems related to the DMARC aggregate report. This can be a mailing list address or contain multiple email addresses._" – Zonder Sep 08 '19 at 07:41
-
Looking on DMARC XML reports I receive, I see that many XML feeders use "no-reply" (e.g. Google, Yahoo) or "mailer-daemon" addresses, and replies to that addresses are bouncing in most cases. So, apparently most of DMARC aggregate report feeders send reports from not-existing email address (obviously, to avoid floods) – Zonder Sep 08 '19 at 07:42