DMARC Failure (Forensic) Reports

DMARC Failure Reports are essentially the copy of your email sent when SPF and DKIM alignment fails. They provide details into the reasons behind DMARC failures, which help discover the root cause, track email fraud and phishing attempts, and improve your email security posture.

DMARC Failure Reporting includes details about the type of failure:

1. Infrastructure problems
2. Lack of verification from the ESP
3. Various other reasons

DMARC Failure (Forensic) Reports are much more detailed than DMARC Aggregate reports, as they show a sample of an email message that failed SPF, DKIM, or DMARC tests.

Failure Reports offer specific information about each email you sent from your domain, detailing everything that goes wrong with the message and why it was rejected.

DMARC Failure (Forensic) Reports contain all the information about individual email messages, including:

• Sending source IP
• "From" and "To" email addresses
• Email subject line
• SPF and DKIM authentication results
• Received time
• Email Header

Find out more about Failure Reports.

To receive DMARC Failure (Forensic) Reports, configure the “ruf” and “fo” tags in your DMARC record by specifying the email address where all reports should land.

Implementing Failure (Forensic) Reports will improve your email delivery by providing valuable insight into potential DMARC issues.

If you want to request failure reports delivered to your EasyDMARC dashboard, you can publish a DMARC record, including the “ruf” tag, like this:

Whether the failure is due to an infrastructure problem or the message is inauthentic, Failure Reports provide more information about the failed message than is available in an Aggregate Report.

So, after configuring your DMARC Failure (Forensic) Reports:

1. Go to your EasyDMARC account
2. Click on the Failure Reports section on the left side menu
3. Start using EasyDMARC’s Failure Reporting tool

We provide a detailed analysis of the failed emails, including the IP address, email header, and more. Some of the key benefits of our DMARC Failure Reports include:

• In-depth analysis of the emails that failed DMARC
• Information on the root cause of the failure
• Insights into the IP addresses and email headers used by the unauthorized sender
• Recommendations on how to prevent similar emails from reaching your inbox in the future

To analyze DMARC Failure Reports, you will need to look at the data provided in the report to identify the following:

• Emails that failed DMARC authentication
• The source IP address
• The domain
• The DKIM signature used
• Other information

From there, you can use this data to identify the source of the failed messages and determine why the messages are failing. Some common issues that can lead to DMARC failures include using the wrong DKIM signature, misconfigured SPF records, or misusing a domain name associated with the sending IP address.

Additionally, you can use the data from the Failure Report to look for any malicious activity or spam emails from your domain.

With DMARC Failure Reports, domain owners can identify potential sources of domain spoofing or email phishing and take appropriate actions to mitigate these threats.

Failure Reports can also help identify misconfigurations in the sender's email authentication settings, such as incorrect SPF or DKIM records, and help ensure proper authentication for all future emails.

DMARC Forensic Reports contain detailed information about emails that have failed DMARC authentication, including:

• Email subject line
• Email Header information (i.e., To and From)
• The IP address of the sending server
• SPF, DKIM, and DMARC authentication result

Additionally, the DMARC Failure Report may include the body of the message and other data that may help troubleshoot why the message failed authentication.