Analyze DMARC Reports: Understanding the Content of a DMARC Report

This book can become a valuable resource for beginners to DMARC technology or professionals interested in expanding their knowledge on email security measures.

DMARC reports include important information about email traffic on your domain that can help you avoid future phishing attempts. They are usually sent as an email attachment titled “DMARC Report.” Aggregate DMARC reports, or RUAs, are collections of DMARC reports. They are shaped into two:

  • DMARC Aggregate Report (RUA)
  • DMARC for forensics (RUF)

What is the DMARC Report Generation Process?

As part of the DMARC validation procedure, inbound mail servers generate DMARC reports.

DMARC reports are typically sent out once a day via email; however, this may be customized to meet your specific needs. You may audit them using email reports if you include the RUA DMARC record tag on your DMARC records. They are sent to the email addresses you specified when creating your DMARC record.

After adding one or more DKIM signatures to an email, where at least one signature successfully authenticates with the transmitting IP address specified in a defined DNS record (the “envelope”), a report is sent for each message received.

How Does the DMARC Record Work?

A DMARC record check reveals information about the domain’s DMARC policies and standards. It can be used to determine:

  • The name of the domain
  • Checking the alignment strength of DKIM (relaxed/strict)
  • Check the alignment strength of the SPF (relaxed/strict)
  • DMARC (Domain-Based Authentication, Reporting (none, quarantine, or reject)

Free DMARC analyzers allow you to create and validate DMARC records and provide DMARC policies and additional information for reviewing, validating, and testing foreign domains.

Analyzing DMARC Reports

A DMARC report is in XML format, with all information given within fixed tags.

  • ISP/ESP Information: The DMARC report checks begin by displaying the organization’s name.
  • Report ID: It is provided inside <report_id> tag.
  • Dates: <date_range> tag shows starting and end dates.
  • DMARC Record: It is provided inside DMARC report in the <policy_published> tag followed by the <domain>tag, <adkim>and <aspf>tags (containing the DKIM and SPF alignment strength respectively), the DMARC policy in the <p>tag, and the subdomain policy in the <sp> tag.
  • DKIM Authentication: DKIM authentication is provided together with any human result inside the <result> and <human_result> tags inside the <dkim> tag.
  • SPF Authentication: <spf> tag that shows the <result> tag as “pass” or “fail” for SPF authentication.
  • IP Address: The Internet Protocol address is mentioned in <source_ip> tag.
  • From Domain: Provided in the <header_from> tag.
  • Evaluation of DMARC authentication: The <policy_evaluated> tag provides a summary of DMARC record authentication with dkim and spf authentication listed as pass or fail in the <dkim> and <spf> tags.

Final Words

Reading information from a DMARC report and accessing data from numerous records might be a complex task without the right expertise. A DMARC checker or analysis tool can help you analyze and validate that DMARC is adequately working for your domain.

Ready to Start?

DMARC Report is designed for large scale reporting needs, with a combination of domains and message volume.