How to manually decipher DMARC reports and why is it a difficult thing?
DMARC reports are the backbone of email authentication. Reading these reports helps you understand the situation of outgoing emails and how recipients’ mailboxes handle them. Reading these reports lets you know if an unauthorized, malicious person is sending emails from your domain.
However, there is a catch; these DMARC aggregate and forensic reports are in XML format, which is machine-readable and not easy for humans to process at a glance. That’s why there are many tools available online that decode and translate them into easy language. However, some people still prefer taking the manual route, so let’s see how you can manually decipher these critical reports.
How can you manually decode DMARC reports?
You need a clear process to decipher and manage these complex reports. Here’s how you should process-
1. Open the XML file
You will be most likely to receive the report as an attachment in an email from the recipient’s server. Open that same file using a text editor like Notepad or a browser to see the XML structure.
2. Understand the XML structure
The report will have a hierarchical structure with key sections such as:
- <report_metadata>: Provides metadata about the report itself (e.g., report ID, date range, organization generating the report).
- <policy_published>: Displays your domain’s published DMARC policy (e.g., none, quarantine, reject).
- <record>: Contains the actual DMARC evaluation results of individual IP addresses that sent emails on your behalf.
3. Look at the ‘record’ section
There will be a ‘record’ section that will include information on how each email was processed. The primary elements you will come across are-
- <row>- This section has general information about messages sent from a specific IP. It’s further divided into-
- source_ip: The IP address of the sending server.
- count: The number of emails received from this IP.
- disposition: The action taken by the recipient server (e.g., none, quarantine, reject).
- <identifiers>- It contains details about the domain and email address used in the ‘From’ field.
- <auth_results>- Here, you will see authentication results for SPF and DKIM, indicating if an email has passed or failed the respective authentication checks.
4. Examine auth_results
- SPF- This checks if the sender’s IP address is included in the SPF record corresponding to your domain.
- DKIM- It verifies whether the email’s signature matches the domain’s DKIM settings. If the result is ‘pass’ then it means the email has not been tampered with in transit.
5. Interpret the results
Check if an email has passed or failed SPF and DKIM alignment. It should essentially pass both of these to ensure full DMARC compliance.
Then check the ‘dispositions’ section that tells how the recipient’s server is based on your DMARC policy. Messages that fail SPF and DKIM should either be marked as spam (p=quarantine policy) or be rejected (p=reject policy). Also, check if there are any unauthorized senders. If found, notice their source IP to know more and avert their advances.
6. Identify the issues
If legitimate sources are failing SPF or DKIM, adjust your DNS settings to authorize these sources. If unauthorized IPs are sending emails, this could indicate email spoofing attempts, which need to be blocked.
7. Document and act
Update your SPF and DKIM records if required. You may also need to adjust your DMARC policies based on the reports and authentication results contained in them.
Why is it difficult to manually decipher DMARC reports?
Apart from being in a non-human-friendly format, DMARC reports also have the following problems.
Volume of data
Different mailboxes generate DMARC reports. If your operation style involves sending a high volume of emails in a day, then you can expect hundreds of these reports daily. Each report further includes data for hundreds of messages, resulting in a massive amount of data for you to review.
Let’s say you own an e-commerce company that sends 10,000 emails a day. Now, each recipient’s email server generates a DMARC report for the emails they got from your domain. Do you think it’s practically even possible for you to manually process hundreds of XML files containing data for thousands of emails?
IP address identification and allowlisting
Often, legitimate emails fail DMARC, DKIM, or SPF checks because of incorrect IP addresses or misconfigured email infrastructure. Manually matching IP addresses to known email senders or third-party services (such as marketing platforms or CRMs) can be a painstaking task.
For example, a report might show that emails sent from an IP belonging to a third-party marketing service failed SPF checks. To fix this, you would need to manually investigate whether this IP is authorized to send emails on behalf of your domain, and if so, ensure that the IP is included in the domain’s SPF record.
Cross-referencing DKIM/SPF failures with policies
When DKIM or SPF fails, you must cross-reference the failures with your domain’s DMARC policy (reject, quarantine, or none) to see how these failures impacted email delivery.
So, if a report says that 50% of emails are failing SPF and DKIM authentication checks and your DMARC record is set on the ‘p=reject’ policy, then half of your emails will be rejected (meaning, they will bounce back to you). Figuring out whether these sorts of things are happening because of misconfigurations or malicious activity requires in-depth investigation.
Tools for simplification
As discussed above, the manual process may help you gain more insights, but it’s difficult and requires time. On the other hand, online DMARC reporting tools or parsers do the job in no time. You instantly get human-readable reports, which you can use to adjust your TXT records and policies.
We at DMARCReport provide a service that simplifies the analysis of these complicated XML reports, helping you ditch the cumbersome manual route. We offer large-scale reporting so that you can monitor domains, detect misconfigurations, and ultimately prevent being a victim of spoofing and phishing.
Get in touch with us to learn more about how we can help you leverage the benefits of DMARC reports.