This release also includes the changes from 10.0.1 and 10.0.2, which were never published as separate GitHub releases.
10.0.3
Bug fixes
- Fix
Reply-To(andDelivered-To) addresses being dropped from failure-report samples.parse_email()looked up mailparser's underscoredreply_to/delivered_tokeys, butmail_jsonnames those headersreply-to/delivered-to, so the lookup always missed andparsed_sample["reply_to"]was always[]regardless of the message. Failure samples now carry their parsed Reply-To addresses through to JSON/CSV output and the Elasticsearch/OpenSearch nestedsample.reply_tofield.
Dashboard fixes
All failure (RUF) dashboards now render every displayed address (From, To, Reply-To) the same way: Display Name <addr>, or the bare address when there is no display name. The format is assembled at query time from fields (display_name / address) that already exist on previously-indexed reports, so the panels work on historical data, not only on reports stored after upgrading — with one unavoidable exception: a report's Reply-To only appears for reports parsed by 10.0.3 or later. Earlier versions discarded it at parse time (the bug above), so it is absent from older stored reports; recovering it requires re-parsing the original samples.
- Splunk failure dashboard: the email-samples panel showed empty
fromandreply_tocolumns — it renamedparsed_sample.headers.from{}{}/parsed_sample.headers.reply-to{}{}, which are mis-cased (the header keys areFrom/Reply-To) and array-of-array shaped. The panel now buildsfromandreply_towith anevalthat coalescesdisplay_name <address>down to the bareaddresswhen there is no display name. (A multi-addressReply-Tofalls back to addresses-only — a Splunk multi-value-rendering limitation, not a data-loss one.) - OpenSearch failure dashboard: the column labelled
reply_toaggregatedsample.headers.in-reply-to.keyword— theIn-Reply-Tothreading header, not the Reply-To address. It now aggregatessample.headers.reply-to.keyword, and that field was added to thedmarc_f*index pattern. To support it, the Elasticsearch/OpenSearch failure writer now flattens theReply-Toheader into a display string onsample.headers["reply-to"], mirroring the existingFrom/Tohandling. (Re-import the dashboards, or refresh thedmarc_f*index pattern, to pick up the new field.) - Grafana (Elasticsearch) dashboard: the Failure Samples panel already read
sample.headers.reply-to.keyword, but that field previously held the raw[[name, address]]array (split into separate name/address terms). The failure-writer flattening above makes the existingReplyTocolumn render a cleanName <address>string — no dashboard change required. - Grafana (PostgreSQL) dashboard: the Failure Reports panel did not surface the message
Fromheader orReply-Toat all (it showed only the envelopeMail From/Rcpt To). AddedFrom(fromsample_from) andReply To(aggregated fromdmarc_failure_sample_address) columns.
10.0.2
Changes
-
Bump the
mailsuiterequirement to>=2.2.1, which raises the transitivemail-parserfloor to>=4.2.1. This pulls in two upstream fixes:mail-parser4.2.1 stops returning a phantom('', '')entry for absent address headers, so parsedmarc no longer indexes an emptyCc/Bccaddress ({address: ""}) for every DMARC failure-report sample in Elasticsearch/OpenSearch — and no longer emits it in JSON, S3, or Kafka output.mail-parser4.2.1 also adopts the stricter address parsing that hardens against CVE-2023-27043 — a Pythonemail-module flaw where an RFC 2822 header containing a special character has the wrong portion identified as the addr-spec, which can let a crafted address bypass email-domain verification.
(The
Reply-Toparsing for failure samples and the failure dashboards are tracked separately.)
10.0.1
Changes
- Bump
mailsuiterequirement to>=2.2.0to fix an upstreamReply-Toheader parsing bug for failure samples