Understanding the difference between Aggregate and Forensic Reports

DMARC Aggregate Reports: DMARC aggregate reports are obtained with details on the source and authenticity of emails issued on behalf of a domain that reveals information on the following points:

  • If the emails authenticate against DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework).
  • The transmitting domain for DKIM/SPF.
  • The originator of a message.
  • Messages that were sent on a given day.
  • The DMARC result.

DMARC Aggregate reports are timely sent in an XML file format and do not include any details on the emails themselves. You may analyze the content from aggregate reports to recognize all valid email sources, as well as the sender’s capabilities for sending out emails and authorizing them suitably.

DMARC Forensic Reports: Forensic reports are received every time an email from your domain fails both SPF & DKIM authentications. A forensic report is used to conduct a thorough investigation of emails spoofing your domain since it contains message-level data, including:

  • Email addresses of the sender and recipient
  • Subject lines for emails
  • The message ID and message time
  • Information about IP (Internet Protocol), ISP (Internet Service Provider), and domain
  • Results from SPF, DKIM, and DMARC

Data collected in forensic reports reveal trouble associated with a particular source, mailstream, or transmitting IP.

In summation, aggregate reports assist in identifying and authorization of authentic emails, whereas forensic reports aid in the analysis of falsified emails and the identification of attack traits.