DMARC gives you information and control over your email channel. It protects your brand from being abused in phishing attacks and other email spoofing attacks. DMARC reports are a powerful tool for detecting issues with your DKIM and SPF configuration. URIports is a service that helps you put the often messy and confusing raw data from DMARC reports into action.
To give you an idea of what to expect, I'll walk you through the most common DMARC report types and go into the details of some of our own to help you better understand yours.
What you see below are sample DMARC reports as they appear in the URIports app. We blur some information to protect the privacy of our users and email contacts.
basics
Need to refresh your memory of any of the columns or values in the screenshot above? Please take a look at one of my previous blogs here:https://www.uriports.com/blog/the-beginners-guide-to-dmarc-with-uriports/
Our domain currently has a DMARC policy of "p=quarantine", so if DKIM and SPF fail, the receiving server must quarantine the message instead of delivering it to the recipient's inbox. As you can see in the screenshot, two rows (1) have this condition. But if we look at disposition (2), we see that only one line resulted in isolated messages.
I'll walk you through each line, expand the monitoring window, and explain what these reports are telling us. The message count sorts the rows in descending order (column count). So let's go from top to bottom.
Updated 05/07/2021
We added a DMARC column that allows you to easily filter and group the three different values (happen,failedeignored🇧🇷 If DKIM and SPF fail, the result isNOT CORRECTunless the receiving server ignores the policy. In this case, the DMARC value is set toignored🇧🇷 Most likely these are forwarded messages. If DKIM or SPF passed validation, the DMARC value would behappen.
Deployment None, DKIM Approved, SPF Approved
This is the line with the highest number of messages. The disposition is none (1), meaning the messages were delivered to the recipient's inbox. The "From" header (2) shows the email domain and below that we see the DKIM and SPF pass (3). The individual reports (latest above) provide more detail on the DMARC results. While the DKIM and SPF columns (3) can only have a Pass or Fail value, the DKIM and SPF authentication results (4) columns provide more detail. More on that later. This is what you want to see, all messages properly signed by DKIM and coming from a source with SPF permission.
Disposition none, DKIM approval, SPF failure
Now things are starting to get complicated. As you can see in the screenshot above, a total of 132 messages passed (1) DKIM but failed SPF (2). Upon reviewing each report, we find that the messages were received from IP addresses (3) that are not ours.
The first SPF authentication result (4) is an error because the SPF policy for the domain uriports.com does not allow listing the source IP (3). The following two SPF authentication results pass, but for a different (fuzzy) domain. SPF validation is based on a message's return-path, and while checking the SPF authentication result may succeed for that particular domain (e.g. the source IP is whitelisted in the return-path domain's SPF) , this is not the case for the domain with the "header of" align, causing the SPF to fail. Authentication results that do not match appear in purple color and are preceded by a ≠ (not equal) symbol.
This is mainly caused by servers relaying your message. Because the message was originally DKIM signed and was not modified in transit, DMARC passed and the message was delivered (no delivery).
Adding the source IP addresses to your SPF policy will not fix this SPF issue as the return path of messages always causes alignment issues. However, if these messages are being forwarded from a server that you control, you can investigate whether the return path can be modified to match the "Header from" domain.
Disposition none, DKIM error, SPF error
These seven messages failed DKIM and SPF (1) but were still delivered because the receiving server (google.com) had a good reason (2). If we look at the DKIM results (4), we see that the message had two DKIM signatures. Our original failed because the message was altered and a signature was approved by Microsoft. whyonmicrosoft.comdoes not matchuriports.comThere is no alignment (≠) and DKIM fails. SPF also fails because the return path domain (5) (fuzzy) is also misaligned (≠). However, Google has good reason to believe that the messages were relayed by Microsoft and has decided to ignore our DMARC policy and deliver the messages anyway.
Disposition quarantine, DKIM error, SPF error
Here are five messages that were correctly quarantined: (1) DKIM failed (2) because the messages had no DKIM signature (DKIM Auth Result "none") and SPF failed (3) because the source IP (4) not whitelisted by Microsoft is the SPF policy of the domain gmail.com. These messages are not from us and have been quarantined by the receiving server. If we had set our DMARC policy top=reject, the messages would have been rejected and not quarantined.
Disposition none, DKIM error, SPF approved
The above report is a great example of why you shouldn't trust every report you receive. This report was sent from a personal server (1) which was probably not configured correctly, causing the DKIM check to fail. Messages were sent directly from our server (2) and signed by DKIM, but validation somehow failed. The messages were delivered because the SPF passed. If you have a high number of messages and multiple sources are sharing these results, there is likely something wrong with your DKIM signing process. But in this case, with just three messages from a single source, we can safely ignore the DKIM error.
Disposition none, DKIM approval, SPF failure
This last report for just a single message in small (blurred) writing (1) can also safely be ignored. The source IP is one of our mail servers, but the SPF failed due to a transient error (2), most likely a DNS problem. DKIM passed well, so DMARC should pass too. Although the DMARC passed thanks to DKIM, the receiving server added an (unnecessary) override reason (3) to ensure the message was delivered. When in doubt, rely on high-volume reporting sources.
problems that need to be solved
Now that we've walked you through our reports, you might be wondering what to look out for and what issues can be resolved. Since our setup works flawlessly and all legitimate emails reach their destination, there is nothing for us to change.
In a perfect world, all your legitimate emails have a valid DKIM signature, come from a server using your domain's return path, and whose origin IP is allowed in the SPF policy.
Let me walk you through some common problems that can be solved:
DKIM failed, SPF passed, DKIM authentication result None
If you get many reports from different sources where the DKIM authentication result is "none" or "fail" and the SPF is successful, you have not configured DKIM or the signing process is not working properly. Use the source IP to locate the faulty server and troubleshoot the issues.
DKIM pass, SPF error, SPF authentication result error
This could indicate that an IP or service is not included in your SPF policy. First check the return path domain to see if there is an alignment problem. If the domain names are aligned, you can add the IP or include the service's SPF record in your SPF policy to resolve this issue.
SPF error, SPF authentication result error
If multiple sources are reporting an SPF "permerror," there's a good chance your SPF policy has a syntax error. In our experience, this is mostly caused by multiple SPF TXT records. Merge the records into a single TXT record to fix this issue.
SPF fails, SPF authentication result none
If SPF fails with an auth result value of "none", the (sub)domain in question does not have an SPF policy. If this (sub)domain is targeted and you want these messages to go through SPF, you need to create an SPF policy that excludes IP sources (e.g.v=spf1 and -alle🇧🇷 If you want these messages to fail, you must publish themv=spf1 -alle.
DKIM error, human result "algorithm not supported"
If multiple sources report this issue and the DKIM domain and the sender's domain match, messages will be signed with an unsupported algorithm. You must update your DKIM algorithms to RSA-sha256 to fix this issue.
URI carries
As you can see, DMARC reports contain a lot of valuable information. URIports is a great tool for collecting and enriching reporting data so you can be confident in your email setup. If we detect problems with your DKIM or SPF configuration, we will even send you (push) notifications. Not a URIports user yet? Start your 30-day trial now!
FAQs
What is a DMARC aggregate report? ›
Aggregate Report is one of two types of reports that the DMARC protocol provides. It offers valuable insight into your email authentication. An aggregate report is an XML feedback report designed to provide visibility into emails that passed or failed SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).
How do you analyze a DMARC report? ›- Publish a DMARC Record with your preferred DMARC policy.
- Send DMARC Aggregate reports to GlockApps.
- Review Sending IP Addresses.
- Review SPF & DKIM Signature.
- Review your DMARC reports.
- Review your published DMARC policy & record.
In summary, aggregate reports help you identify and authorize your legitimate emails while forensic reports aid in analyzing spoofed emails and identifying attack attributes to take down. Through these reports, the DMARC framework plays a significant role in eliminating various email impersonation fraud!
Why am I getting so many DMARC reports? ›It is in fact a ruleset made for reporting back to you on the quality of the email messages received from your domain. You are receiving those XML reports because it's what you asked with the rua=mailto:email@example.com; part of your dmarc TXT record.
What are aggregated reports? ›Aggregate Reports refers to those reports that focus not so much on individual cases, but rather on overview, assessment of the safety profile and benefit-risk-evaluation. They comprise e.g. or safety related parts of Clinical Study Reports.
How do you explain DMARC in plain English? ›DMARC explained in plain English
What is DMARC? If we expand the acronym, the term DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It's an email security policy that allows email senders to specify policies for how their email should be handled if it's received by a receiving server.
The important information in the reports is whether messages from your domain pass DMARC. Each record summarizes: The number of messages sent from a single IP address for the report time period. The SPF, DKIM, and DMARC authentication results for the messages.
What should a DMARC record look like? ›That DMARC policy would actually look like: v=DMARC1; p=quarantine; adkim=s; aspf=s; What does this mean? v=DMARC1 indicates that this TXT record contains a DMARC policy and should be interpreted as such by email servers.
Which tag provide the aggregate report in DMARC record? ›A DMARC record invites DMARC reporting organizations to send DMARC aggregate reports back to the sender of an email. The record contains a RUA tag (tag: rua=mailto:example@somedomain.com). This email address will be the endpoint for the DMARC reporting organization to send the DMARC aggregate report to.
Why is aggregate reporting important? ›Aggregate reports are intended to provide an evaluation of the benefit-risk analysis balance for submission by pharmaceutical companies to the regulatory authorities at a defined point of time during the post-authorization phase.
Can you have 2 DMARC records? ›
The answer is no. You can only have one DMARC record for one domain or subdomain. If you have multiple records, the DMARC processing will stop and your emails will fail to authenticate.
What are the 4 types of forensic analysis? ›Traditional forensic analysis methods include the following: Chromatography, spectroscopy, hair and fiber analysis, and serology (such as DNA examination)
What to do with DMARC aggregate reports? ›What to do with DMARC reports, you might ask? You can use DMARC reports to review the nooks and crannies of your email infrastructure. They're a window into your sender sources and their configuration status. Your DMARC policy also tells users what to do with emails that fail SPF and DKIM authentication checks.
How do I disable DMARC aggregate report? ›If you don't have access to the domain's DNS or want to temporarily disable DMARC monitoring for a domain, you can add the domain to the exclusion list. In the Aggregate Reports pane, click on the menu to the right of the domain name and select “Exclude Domain”.
Is DMARC a vulnerability? ›DMARC is a vulnerability in your attack surface
It's because of this that not implementing a strong DMARC policy is one of the biggest mistakes a company can make, as it leaves your domain open to attackers to hijack and send phishing emails targeting your employees, customers, and entire supply chain.
- Crushed rock - These products are obtained by extracting rocks and crushing them to the desired size and texture. ...
- Sand - Sand is found in nature. ...
- Gravel - Gravel deposits are produced by a natural process of moisture and erosion.
Commonly used aggregates include sand, crushed or broken stone, gravel (pebbles), broken blast-furnace slag, boiler ashes (clinkers), burned shale, and burned clay.
What is an example of aggregated data? ›Examples of aggregate data include the following: Voter turnout by state or county. Individual voter records are not presented, just the vote totals by candidate for the specific region. Average age of customer by product.
What are the levels of DMARC? ›There are three DMARC policy options: “p=none”, “p=quarantine”, and “p=reject". The “none” policy, sometimes referred to as the “monitor” policy, tells the recipient's email provider to not take any action if an email fails DMARC.
What is the purpose of DMARC record? ›Domain-based Message Authentication, Reporting, and Conformance, or DMARC, is a technical standard that helps protect email senders and recipients from spam, spoofing, and phishing.
Is DMARC inbound or outbound? ›
Office 365 mailboxes by default use DMARC analysis and filtering of inbound emails whereas DMARC on outbound emails must be enabled manually. Today approximately 80 percent of all consumer mailboxes have DMARC implemented on the receiving side.
What is the best DMARC setting? ›Start with a DMARC record with enforcement set to none, and an email address configured to get daily DMARC reports. This lets you start getting reports without risking messages from your domain being rejected or marked as spam by receiving servers. We recommend using this record for at least one week.
How do I know if my DMARC is failing? ›Alternatively, you can check for DMARC failure by using the DMARC report analysis from your email service. A report will be sent when an email fails DMARC authentication and will contain information such as the sender, recipient, and reason for failure.
Are DMARC records important? ›Therefore, DMARC is a must for every domain owner. Securing your email with DMARC gives email receivers certainty whether an email is legit and has originated from you. This results in a positive impact on email delivery and also prevents others from sending email using your domain.
What are the contents of a DMARC record? ›A DMARC record is the core of a DMARC implementation in which the DMARC record rulesets are defined. This DMARC record informs email receivers if a domain is set up for DMARC. If so, the DMARC record contains the policy which the domain owner wants to use. In essence, a DMARC record a DNS (Domain Name Service) entry.
What are the components of DMARC record? ›A DMARC record is essentially made up of a specified Host/Name (i.e. the record name - for example _dmarc.mxtoolbox.com is the Host/Name for MxToolbox) and tag-value pairs. Tag-value pairs are pretty much what they sound like, you have a tag (ex.
What is the difference between DMARC policy and DMARC record? ›A DMARC policy essentially enables a domain owner to specify what to do in case an email fails both SPF and DKIM checks (i.e. whether to quarantine or reject it). The DMARC DNS record also specifies how the recipient can report back to the domain owner, in case an email fails authentication.
What is aggregate email? ›Last Updated February 5, 2022. Email aggregation combines all email messages that are sent to an email address, over a specified aggregation time interval, into a single email message. There are two criteria for aggregation: time interval and maximum email message size.
What is P and SP in DMARC? ›The DMARC record for “domain.com” would then include “v=DMARC1; p=reject; sp=quarantine.” This is an effective strategy if the organization needs to maintain separate DMARC policy for the top-level domain and all subdomains.
What is the difference between fo 0 and fo 1 in DMARC? ›fo=0: Generate a DMARC failure report if all underlying authentication mechanisms (SPF and DKIM) fail to produce an aligned “pass” result. (Default) fo=1: Generate a DMARC failure report if any underlying authentication mechanism (SPF or DKIM) produced something other than an aligned “pass” result. (Recommended)
How do I merge DMARC records? ›
Merge multiple DMARC records into a single record
This is done by separating them with commas in the rua tag portion of the DMARC record. Remember to include the mailto: prefix before each reporting address in your DMARC record.
The DMARC protocol depends on both SPF and DKIM to authenticate email. DMARC enables domain owners to specify how receiving servers should handle unauthorized or unauthenticated messages. DMARC defines another DNS record, the DMARC record, in which the public key for the sending domain is stored.
Is DMARC the same as DKIM and SPF combined? ›The two primary authentication protocols that help validate that an email message comes from who it claims to come from are SPF and DKIM. Layered on top of SPF and DKIM is DMARC. DMARC uses SPF and DKIM and provides a set of instructions to receiving email servers with what to do if they receive unauthenticated mail.
What are 2 major types of forensic evidence? ›Once you have mastered the process of the scientific method you become very aware of the need for data or as it is called in the forensic world "evidence". There are two general types of evidence used in both science and law - Physical and Testimonial evidence.
What are three items a forensic report should include? ›- Understanding the Referral Question.
- Documenting the Notification Process.
- Providing the Factual Basis for an Expert Opinion.
- Clinical Conclusions and Expert Opinions.
- References:
The five basic steps in the crime analysis process include the collection, categorization, analysis, dissemination, and evaluation of information. The reports and forms for use in each step of information-gathering and analysis are explained and illustrated.
Does DMARC affect incoming email? ›Setting up DMARC for inbound emails means that the email service provider (ESP) will be able to identify incoming messages and filter them, so that only those messages containing a From address that matches the IP address of your current domain or subdomain are delivered to the inbox.
Is DMARC for incoming or outgoing emails? ›DMARC is about email security. Traditionally this was about inbound protection, where DMARC can be used. Though, DMARC is more about outbound email protection.
What happens if an email fails DMARC? ›This error means that the message failed authentication tests and is not DMARC Compliant. A DMARC Compliance failure means that both SPF & DKIM verification tests failed. These failures can negatively impact email delivery as inboxes cannot verify the legitimacy of your email.
What is this is a DMARC aggregate report from Microsoft? ›The DMARC aggregate reports contain information about the source that sent the message, the domain that was used to sent these messages, the sending IP, the amount of messages sent on a specific date, the DKIM/SPF sending domain, the DKIM/SPF authentication result and the DMARC result.
Do I really need a DMARC record? ›
Therefore, DMARC is a must for every domain owner. Securing your email with DMARC gives email receivers certainty whether an email is legit and has originated from you. This results in a positive impact on email delivery and also prevents others from sending email using your domain.
What is DMARC and do I need it? ›DMARC is a critical component of email cybersecurity that reduces an attacker's ability to get email threat to an end user's inbox. With DMARC, organizations can create a record of who is authorized to send emails from their domain. This helps to prevent misuse of a company brand in phishing campaigns.
What is the purpose of DMARC? ›DMARC is an open email authentication protocol that provides domain-level protection of the email channel. DMARC authentication detects and prevents email spoofing techniques used in phishing, business email compromise (BEC) and other email-based attacks.