What is a DMARC Failure Report? | EasyDMARC

What is a DMARC Failure Report?

8 Min Read
Blue cover and an email image on it

DMARC is the most efficient tool you can get to protect your domain. All your communications are more secure once you implement DMARC records for your domain. The enforcement of DMARC policies prevents spoofing attacks. You also get the full scope of your communications and see how your emails perform. To better understand this procedure, you rely on DMARC reports

A properly configured DMARC policy sends two specific report types: aggregate reports, which offer aggregate summaries of all email activity, and DMARC failure reports, which provide a quick notification when an authentication failure occurs. DMARC failure reports include details about the type of failure: it can be due to infrastructure problems, lack of verification from the ESP, and other assorted reasons.

DMARC Failure Report: What is It?

DMARC failure reports were previously known as forensic reports. Failure reports offer specific information about each email you sent from your domain, detailing everything that goes wrong with the message and why it was rejected. Unlike aggregate reports, DMARC failure reports are generated instantly and sent to the URI configured on your website’s DMARC policy by the “RUF” tag.

The average DMARC failure report contains the following fields: 

  • Email address of the recipient (the email to which the original message was for)
  • SPF and DKIM authentication results 
  • Time of reception 
  • DKIM signature 
  • Host 
  • Subject of email 
  • Message ID of the email 
  • Other headers

Here is a sample of a failure report:

dmarc failure report example

When Do You Receive a Failure Report?

DMARC failure reports are essentially a copy of the email failing verification, sent immediately after failing the process. DMARC failure reports do not contain personally identifiable information, but they have every scrap of data to help you understand why the email bounced. You receive failure reports by configuring the option in your DMARC record by including the “ruf” and “fo” tags and specifying the email address where all reports land.

Failure Report Tags: How to Activate DMARC Failure Reporting?

As you explore DMARC failure reporting options, you’ll find that to start receiving failure reports, you need to configure the “ruf” and “fo” tags in the DMARC record. Here’s what each one of them does with your rejected messages:

  1. ruf: this optional tag is a designation that indicates the email address where message-specific failure reports are sent. Most of this data is presented as a plain text URI. The usual ruf tag looks like this: “ruf=mailito:[email protected].”
  2. fo: the option tag that indicates the value of each DMARC failure for a domain. The tag also defines the type of report you get based on specific verification requirements.
  • fo=0 is to be used when both SPF and DKIM fail to be aligned to verify a message.
  • fo=1 can be used when SPF or DKIM are having issues with alignment to verify any email.
  • Regardless of the alignment, fo=d can be used when the DKIM signature fails.
  • fo=s can be used when the SPF record fails to align with the domain.

Failure Reports: Pros and Cons

DMARC failure reports have faced their fair share of criticism. Critics often mention these reports offer too much raw data that is difficult to understand if you’re a newcomer to DMARC. Some people think only some elements of DMARC are as valuable as they may seem. Aggregate reports provide a condensed portion of data to help you understand your sources and configure DMARC for your domain. Failure reports, on the other hand, offer data in real-time so you can fix any issues on the go. 

Here’s a detailed list of the pros and cons to consider for DMARC failure reports:

Pros

If you’re dealing with DMARC failure, these reports have the right amount of data to help you get things straight quickly. Here are the benefits of working with them:

Contains more Data than the Aggregate Reports

A single DMARC failure report contains much more information about any rejected email. All the data is recorded in URI format (Uniform Resource Identifier). You get a sequence of characters identifying all reasons why your message failed. URIs are very detailed since they distinguish one source from the other.

You Receive Them Immediately

Aggregate reports are sent in programmed schedules. DMARC failure reports, on the other hand, are sent immediately based on your configuration of the “fo” tag. If you’re working with the IT department and learning how to fix DMARC fails as you go, this feature is pretty valuable, especially if you can understand the data provided on the reports.

Cons

As expected, working with DMARC failure reports has some downsides as well. These outweigh the benefits, but if you understand how DMARC works, it’s useful to get failure reports as well.

Most ISPs Don’t Support Failure Reports (And the Format Isn’t Consistent)

What no one tells you about the URI format of DMARC failure reports is that it’s not consistent across email service providers. That’s why most ISP won’t support these reports and offer aggregate reports instead. 

Volumes Might Be Overwhelming

Unlike aggregate reports, which are sent on a timely schedule, DMARC failure reports always blast your inbox in real time. Going through all that data simultaneously can be daunting and challenging for IT departments.

Might Expose Sensitive Data

This is one of the main reasons why ISPs are phasing out DMARC failure reports. Anyone with enough knowledge about handling the data contained in these reports can get a ton of Personally Identifiable Information from them.  

It’s Hard to See the Full Picture of Your Domain Ecosystem

Aggregate reports offer a cohesive view of your domain’s email ecosystem. You can understand what’s working and what’s failing with them. However, if you limit yourself only to DMARC failure reports, you won’t know where to look. You are more likely to oversee something vital because you’re paying attention to one failed email at a time.

Best Practices for DMARC Failure Reporting

If you choose multiple URIs to get your DMARC failure reports, your DMARC record will happily comply. Depending on how many emails fail DMARC in your ecosystem, the result could ba an onslaught of reports in minutes. Going through all of them is almost impossible by human standards, but you can put some control in place to limit the reporting process. These are some of the best strategies for handling failure reports:

Limit Sending the Report Only to the First Recipient

Limiting one report to the first recipient means you won’t get duplicate reports in all your URIs. This can help you focus better on the issues affecting your DMARC protocol.

Group Reports and Bulk-Deliver

You can store failure reports for specific periods before sending them. This makes detecting delivery issues easier by allowing the collection and reporting of similar incidents easier.

Limit the number of Failure Reports Sent Per Minute

You can apply a limiting rate to the number of reports sent by the minute. That way, you won’t get overwhelmed and can take time to see relevant data on each report, as the system will discard anything else.

DMARC Aggregate Reports Vs. DMARC Failure Reports

This blog post mentioned aggregate reports as the leaner cousin of DMARC failure reports. Both have features that make them worthy of paying attention to. They also have specific purposes, but the closer you look at them, you realize how different they are from each other. Here’s a comparison:

Aggregate reports Failure reports
To receive reports, the rua tag must be set up To receive reports, ruf tag must be set up 
Provides aggregate data on a group of emails Provides details of a single email
Not real-time, by default, they are sent every day Sent immediately after failures 
XML format Plain text
Don’t contain PII (personally identifiable information) Contain PII
Supported in all DMARC-compliant mailbox providers Supported only in some of the mailbox providers

Closing Thoughts 

DMARC failure reports were the first attempt at understanding the data provided by DMARC protocols. They had their day in the sun, but they’re going out of fashion these days. Currently, only NetEase is the sole ESP willing to offer them. Not long ago, Hotmail also generated failure reports, but most of its platforms migrated to the standard set by Microsoft 365, making aggregate reports their default choice. 

Despite their dwindling use, EasyDMARC has the technology to manage and understand the data provided by failure reports. We can help you improve your DMARC strategy and increase your deliverability rates. Contact us through our website to update your DMARC strategy.

Comments
guest
0 Comments
Inline Feedbacks
View all comments

succees We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.

succees You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us