How DMARC Analytics Helps in Detecting Domain Spoofing + Case Study

Estimated reading time: 4 minutes

The DMARC authentication protocol has become a part of every domain’s configuration regardless of whether or not the domain is sending email communications. Email marketers understand the importance of DMARC for a successful delivery of emails to the users’ Inboxes. 

Benefits of DMARC Implementation

However, an increased potential of the Inbox placement is not the only benefit of DMARC implementation. Thanks to different tags available for use in a DMARC record, domain owners can:

• instruct email receivers on how to treat the message failing DMARC to prevent possible spam and phishing assaults;
• set a strict or relaxed mode for SPF and DKIM alignment to strengthen the domain protection;
• apply a DMARC policy to the specific percentage of emails to safely move towards the full “reject”;
• receive aggregate and forensic reports with crucial data about the email traffic originating from the domain and email authentication outcomes.

The importance of DMARC reports is often underestimated. A lot of email senders don’t use the RUA and RUF tags in DMARC records to skip the reports. This is probably because the reports are sent as XML files that are hard for parsing. 

Thanks to tools like GlockApps DMARC Analyzer the processing of DMARC reports is made easy. We at GlockApps encourage domain owners to use automated tools to get data from DMARC reports in order to be able to spot email authentication breaches and domain spoofing assaults.

Case Study: Using DMARC Analytics to Detect Domain Spoofing

Below we share a real case how our DMARC Analytics helped the client identify the root cause of a decreased deliverability.

Problem: Sudden Increase of User-Reported Spam Rate

The client came to our live chat with the question about the user reported spam rate they had in the Postmaster tool. The user reported spam rate for their domain used to be 0,0%. On March 26th, 2025 the Postmaster data showed an incredible spike to 7,5%.

The client asked if that could have been an error in the metric calculation as they had not sent any special campaign or increased their email traffic dramatically that day. The logs of their email servers didn’t show any suspicious activity.

Investigation: Analysis of DMARC Analytics Data

As the Postmaster tool in GlockApps shows the email reputation metrics collected by Google Postmaster, the data is accurate including any changes in metrics.

To find the cause of the user reported spam rate spike, the client was advised to analyze their domain email traffic in DMARC Analytics. The data analysis revealed a high volume of emails sent on March 23rd – 27th by unknown sources – the ones that the client didn’t recognize. 

As a rule, this scenario indicates a fact of domain spoofing when bad actors pretend to be the domain owner and send their harmful emails to the world.

Solution: DMARC Policy Enforcement 

As the messages sent by the client’s legitimate sources successfully pass DMARC authentication, the client was encouraged to change the DMARC policy to ‘quarantine’ in order to prevent such a destructive activity in the future. If an ongoing monitoring of the email authentication outcomes reveals no issues for legitimate senders, the client will be able to set the policy to ‘reject’ after some time. 

Conclusion

DMARC aggregate reports are a great source of data that provides visibility on the domain usage. Thanks to automated tools like GlockApps DMARC Analytics, email senders can have the data processed and analyzed in a regular manner. 

This gives them the ability to spot any malicious activity on the domain, determine email authentication breaches, control email sources and message traffic, and take the measures to protect the domain and email recipients from harmful email campaigns of any kind.