Learn How to Go Through a DMARC Report

Read DMARC Reports

Malicious actors rampantly use email spoofing to try and fool organizations into opening malicious attachments or clicking on links. To prevent email spoofing, you need to set up email authentication using DMARC. It is a protocol that allows email senders to specify how the receiving server should handle emails bearing their domain name.

A DMARC report is a document generated by a DMARC-compliant email receiver and lists all of the rejected, quarantined, or delivered emails. Reading and interpreting the report information helps enhance the email authentication process. Below is valuable information on reading and understanding a DMARC report to improve email security posture.

What is a DMARC Report?

DMARC reports are essential for understanding if the email authentication system for your domain works correctly and as intended by the DMARC policy. A DMARC report is a comprehensive summary of email authentication activity for a given domain. The report includes information on all messages and details of successful and failed emails against the DMARC policy. The report can also help organizations identify and correct any incorrect DNS information causing email authentication failures.

Types of DMARC Reports

Understanding the different types of DMARC reports will help you make the most of this valuable resource. The two main types of DMARC reports are:

  • Aggregate report (RUA)
  • Forensic report (RUF)

Aggregate Report (RUA)

Aggregate reports provide all details of emails authorized with SPF and DKIM. The receipt report helps understand how many messages are sent with a valid DMARC record. It can also help identify which domains are sending the most messages.

The report lists all messages sent to the recipient and includes the following information for each email.

  • Messages sent date
  • The email address of the sender
  • The email address of the recipient
  • The DKIM signature of the message
  • The DKIM key that signed the message
  • The result of the DMARC evaluation for the message

Forensic Report (RUF)

Forensic or Failure reports provide details about email messages that failed DMARC authentication. This report can help you determine if your policy is too restrictive or not restrictive enough. Additionally, this report can help you identify which email addresses are sending messages not compliant with the DMARC policy. It will also indicate when a message has failed the authentication check due to a DMARC policy.

Contents of a DMARC Report

DMARC reports are designed to help organizations understand how their emails are being authenticated and can be used to prevent email spoofing. The report will mainly show the following information:

  • How many emails were sent
  • How many were authenticated
  • How many emails failed authentication
  • The domains used in the email and how they were authenticated

One of the most critical fields in the report is “policy_domain.” This field shows the domain that DMARC is protecting. If this domain is not included in the report, emails were not authenticated by DMARC. Another important field is “failed_message_count.” This field shows how many of the emails failed authentication. If you see many failed messages, you know that there are problems with the email.

How To Read A DMARC Report?

Though a DMARC report is beneficial, it is not easy to read straightaway as it appears in the XML format and not in plain English language syntax. This XML report is also called the ‘raw report.’ It mainly contains XML metadata and record details. There are two ways to read the DMARC reports.

  1. Reading manually directly from the XML format
    Manual reading the raw report is a tedious task. However, if you look carefully, you can know that the report consists of different sections, and you can pick the necessary information from the XML jumble in the raw report. For instance, the number enclosed by the ‘report id’ tag, is the report id. Similarly, information with the tags <spf>, <dkim>, <dmarc>, etc. are for SPF, DKIM, and DMARC authentication information respectively.

  2. Using a converter to convert the XML information to an easily readable format
    The above method of manual reading is not practical. Hence, you may use a converter that transforms the entire XML format report into a report in plain English that anyone can read easily. Different options are available to convert it into a tabular form or several other convenient formats. A simple example of a tabular report for two records will look like below.
(Source: Google Support)

Final Words

DMARC report is a crucial tool in the fight against email spoofing. By reading and understanding a DMARC report using a convenient and appropriate means, you can get proper feedback on DMARC email authentication and improve the authentication process to prevent your organization from becoming victim to a spoofing attack.

By taking advantage of the DMARC reporting mechanism, email administrators can enhance the deliverability of their organization’s legitimate emails and reduce the amount of spam and phishing emails that reach their users’ inboxes.

Similar Posts