Understanding DMARC Reports

    DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that helps protect an organization’s domain from spoofing and phishing attacks—one of the most dangerous of which is Business Email Compromise (BEC). 

    A DMARC policy safeguards your business from these email threats and provides visibility into your email infrastructure, so you can keep track of what’s happening behind the scenes. 

    What to do with DMARC reports, you might ask? You can use DMARC reports to review the nooks and crannies of your email infrastructure. They’re a window into your sender sources and their configuration status. Your DMARC policy also tells users what to do with emails that fail SPF and DKIM authentication checks. 

    Understanding DMARC reports is crucial to help protect your organization’s domains from cyberattacks. It enables you to manage deliverability issues and detect malicious activity early on. This article discusses the types and benefits of DMARC reports with examples and explanations. 

    What are DMARC Reports?

    DMARC reports contain essential information about the authenticity status of emails sent on behalf of a domain. When you create a DMARC record and publish it in your Domain Name System (DNS), you’ll receive data on all sending sources using your domain. 

    A DMARC report contains other information about the domain, the policy implemented (none, quarantine, or reject), and the enforcement level (strict or relaxed). Learning how to read DMARC reports is crucial for DMARC compliance and effective email security.

    There are two different types of DMARC reports:

    • Forensic reports
    • Aggregate reports

    Each report type serves a different purpose, but more about that later in the article.

    Why Do You Need DMARC Reports?

    Before we discuss how to enable DMARC reports, let’s look at their benefits. Because phishing attacks are getting more sophisticated, most organizations have implemented email security measures like SPF and DKIM to help mitigate these risks. 

    However, SPF and DKIM alone don’t provide 100% protection against email-borne attacks and delivery issues. 

    Even with proper configuration, it’s possible for original and authenticated emails to get lost or end up in the spam folder. Moreover, bad actors can still spoof a company’s domain, despite SPF and DKIM implementation.

    Another major issue is that failure reports don’t always reach the sender, so vital information is lost. That’s where DMARC comes in. 

    DMARC was invented to correct these shortcomings and improve the defense mechanisms of both DKIM and SPF. The email security standard ensures that messages pass SPF and DKIM security checks and DMARC authentication, before reaching the receivers’ inboxes. 

    With your DMARC record configured in your DNS, you’ll get reports that provide the status of your email authentication, so you can improve it if needed. This helps you detect malicious emails that claim to be from your domain. 

    DMARC reports contain technical data, which can be overwhelming—especially when you send bulk emails regularly. Fortunately, you can easily collect and analyze this information with EasyDMARC’s DMARC report analyzer.

    When you publish a DMARC record in your DNS, every email service provider (ESP) supporting DMARC (like Yahoo!, Comcast, and Google) will send you reports containing critical information in the form of a compressed flat XML text. 

    EasyDMARC’s platform parses those reports, making them more readable and easy to understand. Use our free DMARC XML Report Analyzer to find issues and take action to resolve them quickly. 

    During DMARC implementation, you must indicate a policy to instruct email providers on how to handle unauthenticated emails. You can use three main DMARC policies: none, quarantine, and reject. 

    DMARC reports contain information about your outgoing email infrastructure, including messages that both pass and fail DMARC authentication.  You should constantly monitor such information to verify your legitimate email sources properly.

    How to Enable DMARC Reports?

    To receive DMARC reports, you need to enable them. You can do this by creating and adding a DMARC record to your DNS. The process is simple and the same, regardless of the domain provider you’re using. Follow the steps below to enable DMARC reports:

    • First, you need to create a DMARC record for your domain. Use EasyDMARC’s Free DMARC Record Generator tool to do it quickly and easily.
    • During this process, enter your chosen email address in the ‘Report Email’ section to receive DMARC aggregate reports.
    • Next, enter your preferred email address in the ‘Failure Reporting’ section to receive forensic DMARC reports
    • Once you’re done inputting the necessary details, hit the ‘generate’ button, and the AI will generate the TXT record you need to publish in your DNS. 

    Types of DMARC Reports

    There are two main types of DMARC reports: Aggregate and Failure reports. The email receiver sends these reports, and they serve different purposes. 

    Aggregate Reports

    DMARC aggregate reports are the most crucial, providing information about the authentication status of DMARC, DKIM, and SPF. This data is sent to the RUA address and doesn’t contain any sensitive information about the message itself. 

    Instead, it encompasses aggregate information, including:

    • Reporting ESP information
    • Header-from domain 
    • DMARC policy and alignment settings
    • Sender’s IP address
    • Message authentication status and data 
    • Number of messages sent

    The frequency by which you receive aggregate reports can be specified on the DMARC report under the “ri” tag. The default is once a day, but you can change it to whatever interval is convenient for you.

    EasyDMARC’s user-friendly DMARC Aggregate XML Reports Analyzer makes it super practical to work with your data and sending sources. It also gives you a bird’s eye view of your email infrastructure.

    If you want Aggregate reports sent to your EasyDMARC dashboard, publish the “rua” tag with EasyDMARC’s available URI (unified resource identifier, which looks like an email address) you’ll find on the platform. Here’s an example of the tag usage in your DMARC record:

    v=DMARC1; p=none; rua=mailto:[email protected];

    Failure Reports

    Failure reports are sent to the RUF address and are created to provide edited copies of emails that fail authentication checks. Failure reports provide information domain owners can leverage to identify the true origin of legitimate email sources that require rectification. 

    Often, email receivers don’t provide forensic reports because of privacy concerns. If you’re just starting with DMARC, we recommend concentrating on monitoring and acting on aggregate reports. 

    To receive DMARC failure reports, you can request delivery to an email address accessible to you.

    For example, if you want to request failure reports delivered to your EasyDMARC dashboard, you can publish a DMARC record, including the “ruf” tag, like this:

    v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]

    DMARC Reports: Best Practices

    DMARC reports are central to DMARC enforcement. Thus, we’ve separated a few best practices to ease you into the process and keep you from making simple mistakes.

    • Always Enable Reporting When Implementing DMARC: There’s no point to start DMARC implementation if you ignore actually activating the reports.
    • Send the reports to a special address or email group: While RUA and RUF tags require an email address, we don’t recommend using a personal address, where the reports could get lost or mixed up with usual emails.
    • Analyze your reports and follow the hints to improve your DMARC enforcement: What’s worse than not enabling RUA and RUF reports is enabling and failing to use the recommendations they provide.
    • Use a dedicated service to interpret DMARC Reports:  Receiving XML files in RUA reports and email sender headers in RUF can get overwhelming really fast. Using a third party service like EasyDMARC for report analysis can be the light at the end of the tunnel for your organization.

    Receiving DMARC Reports with EasyDMARC

    DMARC reports are vital to monitor your domain’s email activity, view authentication results, maintain verified senders, and identify fraudsters. Still, reading Aggregate reports can be tough, as they’re in XML format. 

    At EasyDMARC, we make DMARC reports user-friendly and readable, so you can quickly go through them and take action.

    EasyDMARC offers access to both types of DMARC reporting. If you’re a free-tier user, you might already be receiving regular free DMARC reporting

    In the Plus tier and above, our platform can be configured to send you more detailed Failure or Aggregate reports.

    Contact our support team if you have questions about our DMARC reporting tools.

    Learn about SPF, DKIM, DMARC, Subscribe to our newsletter.

    Subscribe

      We're glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.