diff --git a/hosts/falkenstein/modules/monitoring/default.nix b/hosts/falkenstein/modules/monitoring/default.nix
index 4f18bfe..be1d931 100644
--- a/hosts/falkenstein/modules/monitoring/default.nix
+++ b/hosts/falkenstein/modules/monitoring/default.nix
@@ -3,6 +3,9 @@
   age.secrets."maxmind" = {
     file = ../../../../secrets/shared/maxmind.age;
   };
+  imports = [
+    ./dmarc.nix
+  ];
   users.users."promtail".extraGroups = [ "caddy" "systemd-journal" ];
   services.prometheus = {
     exporters = {
@@ -10,9 +13,6 @@
         enable = true;
         enabledCollectors = [ "systemd" ];
       };
-      postfix = {
-        enable = true;
-      };
     };
   };
   services.geoipupdate = {
@@ -115,6 +115,5 @@
   };
   networking.firewall.allowedTCPPorts = [
     config.services.prometheus.exporters.node.port
-    config.services.prometheus.exporters.postfix.port
   ];
 }
diff --git a/hosts/falkenstein/modules/monitoring/dmarc.nix b/hosts/falkenstein/modules/monitoring/dmarc.nix
new file mode 100644
index 0000000..f1d66bb
--- /dev/null
+++ b/hosts/falkenstein/modules/monitoring/dmarc.nix
@@ -0,0 +1,35 @@
+{ config, ... }:
+{
+  age.secrets.dmarc = {
+    file = ../../../../secrets/falkenstein/dmarc.age;
+  };
+  users.users.dmarc = {
+    description = "DMARC Report recipient";
+    isNormalUser = true;
+  };
+  networking.firewall.allowedTCPPorts = [ config.services.elasticsearch.tcp_port ];
+  services.parsedmarc = {
+    enable = true;
+    provision = {
+      grafana = {
+        dashboard = false;
+        datasource = false;
+      };
+      localMail.enable = false;
+      elasticsearch = false;
+      geoIp = false;
+    };
+    settings = {
+      imap = {
+        user = "dmarc@rfive.de";
+        port = 993;
+        host = "mail.rfive.de";
+        password = {
+          _secret = config.age.secrets.dmarc.path;
+        };
+      };
+      opensearch.hosts = "localhost:9200";
+    };
+  };
+  services.opensearch.enable = true;
+}
diff --git a/hosts/nuc/modules/monitoring/default.nix b/hosts/nuc/modules/monitoring/default.nix
index ba3aed7..31619ae 100644
--- a/hosts/nuc/modules/monitoring/default.nix
+++ b/hosts/nuc/modules/monitoring/default.nix
@@ -104,12 +104,6 @@ in
         }];
         scrape_interval = "15s";
       }
-      {
-        job_name = "postfix";
-        static_configs = [{
-          targets = [ "falkenstein.vpn.rfive.de:${toString config.services.prometheus.exporters.postfix.port}" ];
-        }];
-      }
       {
         job_name = "synapse";
         static_configs = [{
diff --git a/overlays/default.nix b/overlays/default.nix
index 7e4ccb5..3e9738a 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -112,16 +112,4 @@ in
       pythonPath = python.pkgs.makePythonPath propagatedBuildInputs;
     };
   });
-  # (hopefully) fix systemd journal reading
-  prometheus-postfix-exporter = prev.prometheus-postfix-exporter.overrideAttrs (_old: {
-    patches = [
-      ./prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch
-    ];
-    src = fetchFromGitHub {
-      owner = "adangel";
-      repo = "postfix_exporter";
-      rev = "414ac12ee63415eede46cb3084d755a6da6fba23";
-      hash = "sha256-m1kVaO3N7XC1vtnxXX9kMiEFPmZuoopRUYgA7gQzP8w=";
-    };
-  });
 }
diff --git a/overlays/prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch b/overlays/prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch
deleted file mode 100644
index 2b60316..0000000
--- a/overlays/prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From f4c5dd5628c873981b2d6d6b8f3bbf036b9fd724 Mon Sep 17 00:00:00 2001
-From: Rouven Seifert <rouven.seifert@ifsr.de>
-Date: Thu, 2 May 2024 11:20:27 +0200
-Subject: [PATCH] cleanup: also catch milter-reject
-
----
- postfix_exporter.go | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/postfix_exporter.go b/postfix_exporter.go
-index f20d99c..676d767 100644
---- a/postfix_exporter.go
-+++ b/postfix_exporter.go
-@@ -335,6 +335,8 @@ func (e *PostfixExporter) CollectFromLogLine(line string) {
- 				e.cleanupProcesses.Inc()
- 			} else if strings.Contains(remainder, ": reject: ") {
- 				e.cleanupRejects.Inc()
-+			} else if strings.Contains(remainder, ": milter-reject: ") {
-+				e.cleanupRejects.Inc()
- 			} else {
- 				e.addToUnsupportedLine(line, subprocess, level)
- 			}
--- 
-2.44.0
-
diff --git a/secrets.nix b/secrets.nix
index 055be04..8c188cb 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -36,6 +36,7 @@ in
   "secrets/falkenstein/wireguard/dorm/preshared.age".publicKeys = [ rouven falkenstein ];
   "secrets/falkenstein/borg/passphrase.age".publicKeys = [ rouven falkenstein ];
   "secrets/falkenstein/borg/key.age".publicKeys = [ rouven falkenstein ];
+  "secrets/falkenstein/dmarc.age".publicKeys = [ rouven falkenstein ];
 
   #shared
   "secrets/shared/maxmind.age".publicKeys = [ rouven nuc falkenstein ];
diff --git a/secrets/falkenstein/dmarc.age b/secrets/falkenstein/dmarc.age
new file mode 100644
index 0000000..0383f1e
--- /dev/null
+++ b/secrets/falkenstein/dmarc.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 uWbAHQ OVBZwLNH5ryKgNruVU0XRV2F5dDu7W9R3qMWz08Krzs
+vrXngscbxNRGfITXKM1uRNFRjUZRaWNpZ9ijSy+pERw
+-> ssh-ed25519 slrRig AIO7ny4bykCYWzLgCfd75dt00myFSd+waEv2/MEOpUY
+65u83G9Ew+idajuExoTb5URAnM1paEGFYsfQ3HqKvGg
+--- YoSI0kDXGCKQQCebjG8vzsTJMomjJ3RZWY0j+eG5U6U
+n�N�S�]6e����p
�!��Y��"�D&u��2�NJ�y���`�j�
\ No newline at end of file