Understanding DMARC Reports
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a policy that protects organizations from Business Email Compromise (BEC) attacks and allows users to receive DMARC reports from mail service providers.
DMARC is an email authentication protocol designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. It allows domain owners to prove the authenticity of their emails while reassuring email recipients that emails from their domain are legitimate.
Your DMARC policy also tells you what actions to take for unapproved (possibly infected or fraudulent) emails. You can dive deeper into DMARC in RFC7489.
Read on to find out why you need DMARC reports with specific examples and explanations.
Why Do You Need a DMARC Policy?
DMARC policy appeared in 2012 as a tool against phishing. It was supported by mail providers AOL, Comcast, Gmail, Hotmail, Netease, Yahoo! Mail and mail senders American Greetings, Bank of America, Facebook, Fidelity, JPMorgan Chase & Co., LinkedIn, and PayPal.
The DMARC policy protects domain owners from the negative consequences of fraud. In today’s fast-paced, highly-digitized world, cybercriminals and scammers are quick to find and exploit an organization’s cyber security weaknesses. So, you need a DMARC policy to protect your business from money, data, reputation, and customer loss.
How Does DMARC Work?
DMARC works on top of two email authentication protocols: DKIM and SPF. Domain owners authorize the sources they use with the help of DKIM and SPF to only send authenticated emails.
With DMARC, domain owners can publish a policy that dictates how receivers process emails from that domain. For example, you can publish a policy to reject all non-authenticated emails from your domain. After publishing the “reject” policy, no one can send a fraudulent email from your domain.
One of the key values of DMARC is “Domain Alignment.” It checks whether the domain of the email address in the “From:” line matches the identifiers of the SPF verification and DKIM signature. If the match is complete, the email is delivered to the recipient’s mailbox. If not, the email is processed according to the selected DMARC policy:
No action taken against the unqualified email. It goes to the recipient’s mailbox. The domain owner receives a report with information about sending the message. By analyzing it, the owner will see who sends letters on his behalf and whether they’re authorized to do so.
The recipient’s email server delivers the unqualified email to the “Spam” folder. Domain owners can also continue analyzing the data received in reports.
Emails that don’t pass the DMARC check are rejected and do not fall into any folder of the recipient’s mailbox.
When setting up the DMARC “Reject” policy, make sure all third parties who are permitted to send emails on your behalf are properly authenticated. Otherwise, their emails will also be rejected. This applies to CRM systems and email newsletter services, too.
Why Do You Need DMARC Reports?
SPF and DKIM mechanisms don’t guarantee 100% protection against scams. Even if everything is spelled out correctly, it’s possible for original, authentic emails to be redirected. Sometimes, the sender’s identification isn’t authenticated, either. Delivery failure reports not arriving to the sender is another common issue. Overall, the technology isn’t perfect.
DMARC was implemented to enhance the defense mechanisms of SPF and DKIM. It sets the standard for checking incoming mail by ensuring that it passed “face control” by SPF or DKIM.
DMARC details the current status of your email authentication program by sending DMARC reports to the specified mailboxes.
It allows you to detect and prevent fraudulent emails that claim to be from your domain when they aren’t. DMARC reports are valuable sources of information that you can now easily collect using EasyDMARC.
When you publish a DMARC record, a lot of ISPs (i.e. Google, Comcast, Yahoo, etc.) will send you DMARC reports. These reports contain compressed flat XML text with a lot of valuable data. EasyDMARC parsers those reports, rendering the data readable per easy-to-understand charts.
When you publish a DMARC record in the DNS, you specify the policy instructing email servers on how to dispose of unauthenticated emails. You can also request mailbox providers to send you DMARC reports directly.
These reports contain information about your outgoing email infrastructure. You should constantly monitor such information to properly authenticate all your legitimate email sources.
DMARC Report Examples and Explanations
Aggregate reports contain info about groups of email messages, including:
- Sending source IP
- Sent date
- The domain or organization that sent the report
- SPF domain
- SPF domain alignment check: pass or fail
- SPF authentication result: none, neutral, pass, fail, softfail, temperror, or permerror
- DKIM domain
- DKIM domain alignment check: pass or fail
- DKIM authentication result: none, neutral, pass, fail, policy, temperror, permerror
- The disposition of those emails; (Applied policy by the receiver): None, Quarantine or Reject
Failure (forensic) reports contain all the information about individual email messages, including:
- Sending source IP
- From: email address
- To: or recipient email address
- Email subject line
- Authentication results: SPF and DKIM
- Received time
- Email headers; including: sending host, email message ID, DKIM signature, and other custom header information
Failure reports contain Personally Identifiable Information (PII). Due to privacy concerns, many mailbox providers including Gmail have dropped support for DMARC failure reports. Only a few mailbox providers still send failure reports, including LinkedIn.
Request to Send Aggregate Reports
If you want DMARC aggregate reports delivered to your email address, specify your email address in the “rua” tag of your DMARC record.
For example, if you want aggregate reports sent to your EasyDMARC dashboard, you should publish a DMARC record like this:
Request to Send Failure Reports
To receive DMARC failure reports, you can request their delivery to an email address accessible to you.
For example, if you want to request failure reports delivered to your EasyDMARC dashboard, you can publish a DMARC record including the “ruf” tag, like this:
DMARC is a great tool to monitor your outgoing email infrastructure and understand how providers receive and process your emails. Based on this, you can improve delivery and regain 5% or more of your email database—those who may not receive letters for technical reasons.
DMARC Reporting With EasyDMARC
EasyDMARC’s platform offers two types of DMARC reporting services:
- Aggregate Reports (RUA)
- Failure Reports (RUF)
If you’re a user of our Free tier, you might already be receiving regular free DMARC reporting. In the Plus tier and above, our platform can be configured to send you the more detailed Failure reports.
Contact our support team if you have any questions regarding how our DMARC reporting tool works.