Chat +1-888-563-5277 Contact sales

What is a DMARC Failure Report?

DMARC protocol enables you to receive 2 types of reports: Aggregate reports and Failure reports. DMARC Failure Reports are formerly known as DMARC Forensic Report and they are much more detailed than Aggregate reports because they provide a sample of an email message that failed DMARC, DKIM, and SPF tests.

When an SPF or DKIM does not align with DMARC the ISP will send a failure report immediately if an ISP supports it. Currently Major ISP’s like Google, Verizon, and Comcast do not support them.

This results in failing messages not generating reports even after configuring your DMARC record to accept failure reports. This is why a noticeable difference can be seen between aggregate and failure reports.

How to read a DMARC Failure Report?

In a typical DMARC failure report, one would find the following fields: 

  • Email address of the recipient: the email to which the original message was for
  • SPF and DKIM authentication results 
  • Time of reception 
  • DKIM signature 
  • Host 
  • Subject of email 
  • Message ID of the email 
  • Other headers such as custom headers ect.

Here is an example of a DMARC Failure report

dmarc failure report example

DMARC Failure Reporting Options(fo)

The four types of DMARC failure reports can be sent with the “fo” tag:

fo=0: If both SPF and DKIM fail to align it generates a failure report. 

fo=1: If either SPF or DKIM produced something other than aligned it generates a failure report.

fo=d: if the signature fails, regardless of the alignment it’ll generate a DKIM failure report.

fo=s: if the SPF fails even if it’s not alignment it generates an SPF failure report.

The Pros:

  1. They contain more data than aggregate reports like Subject of the email, IP information, date of receiving the message, message ID, URLs & delivery result.
  2. They are received immediately. 

The Cons:

  1. They have a high false-positive rate.
  2. Most ISPs have dropped support for failure reports.
  3. They potentially expose sensitive data.

 

DMARC Aggregate Reports VS DMARC Failure Reports

As mentioned above, DMARC supports two types of reports: Aggregate and Failure reports. 

These two have many differences and serve distinctive purposes

When comparing the two, here are some of the visible differences: 

Aggregate reports 

Failure reports

To receive reports, rua tag must be set up  To receive reports, ruf tag must be set up 
Provides aggregate data on a group of emails Provides details of a single email
Not real-time, by default they are sent everyday Sent immediately after failures 
XML format Plain text 
Don’t contain PII (personally identifiable information) Contain PII
Supported in all DMARC-compliant mailbox providers Supported only in some of the mailbox providers 

 

Conclusion

Unlike DMARC aggregate reports the DMARC failure reports were an unsuccessful part of the DMARC standard. And the DMARC aggregate reports provide all the information necessary to enforce DMARC without the risks that DMARC failure reports present.

 

What is A “Watering Hole” Attack: Module 5

What is A “Watering Hole” Attack: Module 5

This cybersecurity term originates from hunting. Rather than go after the prey, it’s easier...

Read More
Real-Life Phishing Email Examples and Their Impact: Module 4

Real-Life Phishing Email Examples and Their Impact: Module 4

As we’ve already mentioned in the previous modules, cyberthreats result in significant losses in...

Read More
Cyber Threat Actors - Phishing Emails:  Module 3

Cyber Threat Actors - Phishing Emails: Module 3

How To Spot Phishing Emails  Phishing is a hacker-favorite method of stealing personal information. While...

Read More
×