Decoding Complex DMARC Reports; Learn to Read Them
DMARC reports give insights into your domain’s email activities, which help analyze how email service providers or mail servers treat messages you send. There are two types of DMARC reports: aggregate and failure.
To start receiving DMARC aggregate reports, you need to add the ‘rua’ tag to your valid DMARC record and mention the email address where you want to receive them. As for the failure reports, the ‘ruf’ tag does the job, followed by stating the email address where recipients’ mail servers will send these reports.
Purpose of DMARC Reports
A DMARC report allows domain owners or administrators to monitor email activities and detect malicious senders to prevent or contain the damage before the situation worsens. It informs you about the percentage of messages that passed or failed the DMARC Record check, along with the bifurcation of the sending sources.
Aggregate reports are generated and sent to you regularly, usually daily or weekly, to bring you across the overview of email traffic sent from your domain. On the other hand, receivers’ mail servers develop failure reports whenever an email sent from your domain doesn’t pass DMARC authentication checks. It gives you details like the email header, SPF and DKIM results, and other critical information. In rare cases, a failure report also includes the body of the message.
DMARC reports indicate the disposition of emails such as none, quarantine, or reject. By evaluating the percentage of false positives over a period of time, DMARC administrators decide if any modifications should be made to the policy type or percentage. For example transitioning from the p=quarantine to p=reject OR increasing p=reject; pct=30% to p=reject; pct= 50%.
This is because you gain the confidence that most of the emails sent from your domain are landing in the primary inboxes rather than in the spam folder or getting rejected.
Reading a DMARC Report
Deciphering DMARC reports can be challenging for those without a technical background. Below is an illustration of a raw report for better understanding:
<?xml version=”1.0″ encoding=”UTF-8” ?> <feedback> <report_metadata> <org_name>google.com</org_name> <email>noreply-dmarc-support@google.com</email> <extra_contact_info>http://google.com/dmarc/support</extra_contact_info> <report_id>8293631894893125362</report_id> <date_range> <begin>1234573120</begin> <end>1234453590</end> </date_range> </report_metadata> <policy_published> <domain>yourdomain.com</domain> <adkim>r</adkim> <aspf>r</aspf> <p>none</p> <sp>none</sp> <pct>100</pct> </policy_published> <record> <row> <source_ip>302.0.214.308</source_ip> <count>2</count> <policy_evaluated> <disposition>none</disposition> <dkim>fail</dkim> <spf>pass</spf> </policy_evaluated> </row> <identifiers> <header_from>yourdomain.com</header_from> </identifiers> <auth_results> <dkim> <domain>yourdomain.com</domain> <result>fail</result> <human_result></human_result> </dkim> <spf> <domain>yourdomain.com</domain> <result>pass</result> </spf> </auth_results> </record> </feedback>
Breaking Down a DMARC Raw Report
Your Email Service Provider (ISP):
- <org_name>: Specifies your ISP, in this case, “google.com.”
- <email>: Provides the support email address for DMARC-related queries.
Report Identification:
- <report_id>: Unique identifier for the DMARC report.
Date Range:
- <date_range>: Indicates the timeframe for the report, with “begin” and “end” timestamps.
DMARC Record Specifications:
- <policy_published>: Displays your domain’s DMARC record specifications, including alignment settings (adkim and aspf), policy (p and sp), and percentage (pct).
Source IP Address:
- <source_ip>: Represents the IP address of the server sending emails on behalf of your domain.
Image sourced from engagebay.com
Authentication Results Overview:
- <policy_evaluated>: Provides an overview of the authentication results, including disposition, DKIM, and SPF status.
Email Header Information:
<header_from>: Specifies the “From” domain in the email header.
DKIM and SPF Authentication-Results:
- <auth_results>: Details the DKIM and SPF results, indicating pass or fail for each.
Understanding these components in the raw DMARC report allows you to gain insights into your email authentication landscape, helping you identify and address potential issues.
How to Analyze DMARC Reports?
DMARC reports are presented in the daunting XML format, but you can use our DMARC analyzer to convert them into easy-to-comprehend form. Here’s how the process flows-
Receive DMARC Reports
The initial stage in comprehending and evaluating DMARC reports involves acquiring the reports from either the recipients’ email service providers or a DMARC reporting service. Certain email service providers will autonomously produce and dispatch DMARC reports to domain owners, while others might necessitate manual configuration for this functionality.
Evaluate the Aggregate Reports
Check how many emails failed SPF and/or DKIM checks and notice if any malicious entity is sending messages posing as you or someone from your company. Pay attention to specific patterns, like a particular sending source that’s consistently failing DMARC authentication checks.
Evaluate the Failure Reports
Failure reports aren’t sent for all the emails; mail servers create them immediately after a message fails DMARC authentication. A prompt response to these failures can prevent potential reputation damage caused by phishing and spoofing instances attempted by masquerading as some official of your company.
Make Alterations, If Required
After checking the DMARC reports, make adjustments to your policy as required. This might mean changing your DKIM or SPF records, tweaking your DMARC policy to be stricter or more lenient, or doing other things to enhance your DMARC evaluation results.
Continue Monitoring
DMARC reports come in regularly, so it’s crucial to keep an eye on them and tweak your DMARC policy when necessary. Doing this ensures that your domain stays safe and your email messages remain secure.
Trust DMARCReport
At DMARCReport, we not only send regular reports but also take down malicious IPs and achieve compliance on demand. We leverage the power of AI to identify abusive sending sources based on the behavior and historical data to pitch in our contribution towards safer cyberspace.