Reading your first DMARC reports

I remember when I got hold of my first DMARC reports, almost a year ago. Finally, something new and shiny for me to play with! If you’re about to encounter the same experience, then here’s what you can expect:

Aggregate Reports (RUA)

  • The participating Mailbox Providers will send daily reports via email, HTTP, or HTTPS based on what you defined in the “rua” tag.
  • The reports sent by email will be MIME formatted messages. It will include an XML file contained in a zip file.
  • The reports include data about messages that passed and/or failed DMARC.

The report will include 3 sections:

  1. ISP information
    • Mailbox Provider name
    • Mailbox Provider’s sending email address and additional contact information
    • Report ID number
    • Beginning and ending date range in seconds
  2. DMARC Record – a line by line description of your DMARC record
  3. Summary of authentication results – This is what you’ve been waiting for. Look for the areas that show neutral, none, or failed results.
    • IP identified in the legitimate and/or fraudulent email
    • Count of IP address identified
    • From: domain
    • DKIM authentication results – lists the domain and result (i.e. none, pass, or fail)
    • SPF authentication results – lists the domain and result (i.e. neutral, pass, or fail)

Forensic Reports

After seeing rows and rows of endless XML tags, my excitement quickly faded. Put it this way, I considered printing the aggregate report until I saw that it was 500 pages. The bottom line is that you need some intelligent way to summarize these reports for you. Obviously, you can ask one of your IT folks to parse the data, but is there really a need to recreate the wheel? Here are some information that you might find useful:

Have you come across any other scripts that you’ve found useful to parse these reports? Is so, please do share.