# Nightly DMARC aggregate-report ingestion. Fetches the day's rua reports from the
# dedicated dmarc@performancewest.net mailbox (Google, Yahoo, Comcast, Cox, Bell,
# Mimecast, Cisco ESA, GMX, mail.com, Microsoft, ...), decompresses + parses the
# XML, and upserts per-source-IP SPF/DKIM/DMARC alignment into dmarc_report /
# dmarc_record. This is the authoritative cross-operator view of who sends mail AS
# us and whether it passes alignment -- the payoff of this session's DKIM/subdomain
# fixes -- and it flags any UNKNOWN IP sending as us (spoofing) under our p=reject.
#
# --alert prints the last-7d per-IP alignment summary and sends a Telegram warning
# if one of our own IPs drops below 95% DMARC pass, or an external IP sends >=20
# failing messages as us. Marks processed messages \Seen so each run only handles
# new reports (idempotent; reports are also keyed (org_name, report_id) in the DB).
#
# The mailbox is IMAP-reachable from the network and the DB lives inside the docker
# network, so we run inside the workers container (which has DMARC_IMAP_* + DATABASE_URL
# from .env). Runs at 06:20 UTC (after 06:10 reputation, before 06:30 scrub).
20 6 * * * deploy cd /opt/performancewest && docker compose exec -T workers python3 -m scripts.dmarc_report_parser --alert >> /var/log/pw-dmarc-parser.log 2>&1