/
Getting DMARC Queries

Getting DMARC Queries

Owned by Moritz Müller
Last updated: Oct 06, 2017 by Daniel Stirnimann

Description:


DMARC is a mechanism to define policies for email validation, dispositioning and reporting. These policies are defined in a DNS TXT record of a subdomain with the label "_dmarc". The query below filters for each query that asks for a domain name that has the string "_dmarc" as lowest label and asks for a TXT record (qtype 16). The results are ordered by the total number of queries for a qname.


Impala Query:


select qname, count(1) as tot
from dns.staging
where qname ILIKE '_dmarc.%'
and qtype = 16
group by qname
order by tot desc



Example Output:


_dmarc.paypal.nl. 5153
_dmarc.virtuoso.nl. 4492
_dmarc.variate.nl. 4408
_dmarc.thermistor.nl. 4375
...