How to Read Your First DMARC Reports

DMARC

24 July, 2020

How to Read Your First DMARC Reports :

What Are DMARC Aggregate Reports?

An aggregate report does not contain any information about the emails themselves. An aggregate report is an XML feedback report designed to provide visibility into emails that passed or failed SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).

The report provides domain owners with precise insight into:

• The authentication results
• The effect of the domain owner’s DMARC policy

The report contains the following:

• The domain or organization that sent the report
• The domain that you are receiving the report for and its current DMARC policy
• Date
• Sending IP address
• Email count
• The disposition of those emails ie. the policy that was applied to those emails by the receiver
• The SPF identifier and result, if any
• The DKIM identifier and result, if any

All this information is very useful for an organization to determine who is sending email on its behalf, if a sender is allowed to send email on its behalf and if the messages are authenticated correctly. On top of that an organization is able to see who is sending malicious emails on its behalf. Eventually an organization will be able to make sure that the malicious emails won’t reach the inbox of the receivers this can be done by enforcing a DMARC reject policy.

How to Request DMARC Aggregate Reports

To start collecting data on your email streams, publish a simple DMARC record in monitor mode (tag: p=’none’), with a request for aggregate reports (tag: rua=mailto:[email protected]). Need help to create a DMARC record? This post along with our DMARC Creation Wizard will help you build one.

Once your DMARC record is in place, participating mailbox providers will send daily aggregate reports to the destination you defined in the rua tag.

Below is an overview of what is and what is not included in these DMARC aggregate reports, along with real-world examples so you can become more familiar with the format.

What Is Included in the DMARC Aggregate Reports

1. ISP information

• Report ID number

• Reporting Organisation Name

• Reporting Organisation sending email address and additional contact information

• Beginning and ending data range in seconds

2. Description of a DMARC record

• Header domain/from domain

• Alignment settings for both DKIM and SPF

• Domain policy (reject)

• Subdomain policy (reject)

• Percentage of messages to which the DMARC policy is to be applied

3. Summary of authentication results 

• IP identified in the email

• Total of IP addresses identified
• Disposition of the message, to show if the policy was applied
• DKIM authentication result, the domain, and result
• SPF authentication result, the domain, and result

DMARC Analyzer collects these reports and will merge them into user-friendly overviews. DMARC Analyzer is easy to use and the overviews within our tool will give an organization information on how to make sure its email channel is fully authenticated and secured against malicious users.

What is Not Included in the DMARC Aggregate Reports

• Trends across ISPs: Identifying trends on IP addresses reporting across different ISPs is a great way to troubleshoot authentication issues and help ensure your legitimate email is getting delivered. However, aggregate reports do not contain trends. Your organization must have the capacity (or work with an organization that does) to analyze bulk data across many different aggregate reports to glean actionable insights.

• Sender Score (reputation data): If an authentication failure is due to an IP address not within your infrastructure, you will have to do additional research on the reputation of that IP address to determine whether or not it is a legitimate sender. 

• Message samples: Aggregate reports do not contain message-level data. Forensic reports do. If you identify a dubious IP address within an aggregate report and need to find message-level data to troubleshoot it, you have to search both the aggregate and forensic reports and make those connections manually.

• Alerting capabilities: Once you move your domain to reject, you want to ensure your legitimate mail is not negatively affected by the new policy. Since aggregate reports do not contain trend data, there is no way to tell if your legitimate messages are getting blocked in bulk due to the reject policy.

Search By Keywords: