What is a DMARC Failure Report?
DMARC protocol enables you to receive 2 types of reports: Aggregate reports and Failure reports. DMARC Failure Reports are formerly known as DMARC Forensic Report and they are much more detailed than Aggregate reports because they provide a sample of an email message that failed DMARC, DKIM, and SPF tests.
When an SPF or DKIM does not align with DMARC the ISP will send a failure report immediately if an ISP supports it. Currently Major ISP’s like Google, Verizon, and Comcast do not support them.
This results in failing messages not generating reports even after configuring your DMARC record to accept failure reports. This is why a noticeable difference can be seen between aggregate and failure reports.
How to read a DMARC Failure Report?
In a typical DMARC failure report, one would find the following fields:
- Email address of the recipient: the email to which the original message was for
- SPF and DKIM authentication results
- Time of reception
- DKIM signature
- Subject of email
- Message ID of the email
- Other headers such as custom headers ect.
Here is an example of a DMARC Failure report
DMARC Failure Reporting Options(fo)
The four types of DMARC failure reports can be sent with the “fo” tag:
fo=0: If both SPF and DKIM fail to align it generates a failure report.
fo=1: If either SPF or DKIM produced something other than aligned it generates a failure report.
fo=d: if the signature fails, regardless of the alignment it’ll generate a DKIM failure report.
fo=s: if the SPF fails even if it’s not alignment it generates an SPF failure report.
- They contain more data than aggregate reports like Subject of the email, IP information, date of receiving the message, message ID, URLs & delivery result.
- They are received immediately.
- They have a high false-positive rate.
- Most ISPs have dropped support for failure reports.
- They potentially expose sensitive data.
DMARC Aggregate Reports VS DMARC Failure Reports
As mentioned above, DMARC supports two types of reports: Aggregate and Failure reports.
These two have many differences and serve distinctive purposes
When comparing the two, here are some of the visible differences:
|To receive reports, rua tag must be set up||To receive reports, ruf tag must be set up|
|Provides aggregate data on a group of emails||Provides details of a single email|
|Not real-time, by default they are sent everyday||Sent immediately after failures|
|XML format||Plain text|
|Don’t contain PII (personally identifiable information)||Contain PII|
|Supported in all DMARC-compliant mailbox providers||Supported only in some of the mailbox providers|
Unlike DMARC aggregate reports the DMARC failure reports were an unsuccessful part of the DMARC standard. And the DMARC aggregate reports provide all the information necessary to enforce DMARC without the risks that DMARC failure reports present.