How to Read Your First DMARC Reports (Part 2)

Posted by Amy Gorrell on

If you publish a DMARC record, you receive two types of reports—aggregate and forensic—that contain valuable authentication data. But making sense of that data can be tough.

Last month, we reviewed how to read your first DMARC aggregate reports. Today, we’ll dive into how to read your first DMARC forensic reports.

What are DMARC forensic reports?

In addition to providing information about which emails are authenticating against SPF, DKIM, and DMARC (as aggregate reports do) forensic reports include additional information such as the subject line and header information as well as, most importantly any URLs (URIs) included in the message.

Forensic reports are delivered on a smaller scale than aggregate reports—they’re generated by email providers almost immediately after detecting a DMARC authentication failure.  Intended to give you sample detail and evidence of an issue, forensic reports may contain message-level data, “To” and “From” email addresses, and the IP addresses of the sender.

How to request DMARC forensic reports

To start collecting forensic data on your email, publish a simple DMARC record in monitor mode (tag: p=none) with a request for forensic reports (tag: ruf=mailto:domain@example.com).

Need help creating DMARC record? This blog post along with our DMARC Creation Wizard will help you build one.

Once your DMARC record is in place, participating mailbox providers will send forensic reports in real time to the destination you defined in the RUF tag.

What is included in forensic DMARC reports

Below is an overview of what is and what is included in these DMARC forensic reports:

  • IP Information–the IP address that reportedly sent the message.
  • Time the message was originally received by the ISP (by the second).
  • Authentication results:
    • SPF
    • DKIM
    • DMARC Mechanism Check Result (Alignment Results)
  • ISP Information–The ISP that is sending the report.
  • From Domain information:
    • From address
    • Mail From address
    • DKIM from address (if DKIM is signed)
  • Subject Line
  • URLs (if any are contained)
  • Message ID
  • Delivery Result–Whether the message rejected/quarantine/no policy applied based on the policy outlined in the DMARC record.

Here’s an example of what they look like:

pasted image 0 (8)

What is not included in DMARC forensic reports

Here is what is not included in the DMARC forensic report:

  1. Trends across ISPs: As with aggregate reports, your organization must have the capacity to analyze the data received across ISPs to identify trends such as subject line similarities and URLs across all the reporting ISPs.

  2. Sender Score (reputation data): Again as with aggregate reports, while the sending IP is reported, the reputation of that IP is something you will have to investigate further as it is not outlined in the forensic report. Return Path’s Sender Score tool can help you do it.

  3. Automatic URL Transfer: Chances are, if you have having phishing issues within your organization you are working with a takedown provider who can work to shut down malicious sites purporting to be from your brand. While the forensic reports will include those URLs, they will not ship directly to your takedown provider.

  4. Alerting capabilities: Because forensic reports are sent in real time they can help to identify a phishing attack faster than aggregate reports.  If you receive a forensic report for a domain that is not being used to send legitimate traffic, you’ll want to know about it right away so that you can protect that domain ASAP.  Similarly, if you are having authentication issues that are causing legitimate mail from your domain to not be delivered, you’ll want to be made aware of that before it affects your mail on a wider scale.

As we discussed in part one of this series, the reports themselves do not give you everything you need to protect your customers and employees from phishing.

But working with a partner like Return Path can equip you with actionable insights into your sending domain policies and performance, allowing you to make informed authentication decisions.

Contact us now if you want help making sense of your DMARC reports.


Popular this Month

 Featured Image

3 Trends Impacting Email: Persistent Fraud, Part 2

In part one of this three-part series, I examined the evolving landscape of...

Read More

 Featured Image

The Top 16 Topics of 2016

2017 is finally here! But before we focus on the year ahead, we wanted to...

Read More

 Featured Image

Think Fighting Email Fraud is Someone Else’s Job? Here’s the Real Cost of Doing Nothing.

Cyberattacks against your brand can be very damaging and costly to both your...

Read More

Author Image

About Amy Gorrell

Amy Gorrell is a Strategic Project Manager for Return Path's Email Fraud Protection team. Amy works with some of our top-tier clients to help eliminate the impact of email fraud. When she's not fighting cyber crime you can find her enjoying the many outdoor activities Colorado has to offer. You can connect with Amy on LinkedIn @Amy Gorrell or follow her on Twitter @amy_gorrell.

Author Archive

CTA Image

Stay up to date

Enter your name and email address below to subscribe to our mailing list.

Your browser is out of date.
For a better Return Path experience, click a link below to get the latest version.