Unlike aggregate reports, a forensic report is sent every time an email sent from a domain fails DMARC. Forensic reports are typically sent by the receiving ISP immediately after the DMARC failure occurs, giving you near real-time insight into your DMARC failures.
As this type of report can include personal data, many popular providers don’t send forensic reports due to privacy reasons. However, DMARC Analytics adds the ruf= tag with the email address to the DMARC record which makes it capable to receive and process forensic reports.
What you actually see in the report depends on the reporting ISP. It is up to the reporter what they may include in the report, but typically, the details are:
Sending IP – the IP address that sent the email;
Reported Domain – the Header From domain;
Date – the date when the message was received by the ISP;
Email From – the From email address;
Email To – the email address the message was sent to;
Auth Failure – email authentication that failed;
Auth Results – authentication results for SPF, DKIM, and DMARC.
If you find a source that is actually legitimate, you’ll want to set up SPF and DKIM for it to ensure the emails sent from that source pass DMARC.
For illegitimate sources, it depends on the volume of sent emails. If there is a small volume compared to what you send from legitimate sources, you may ignore it. If you notice a high volume from an illegitimate source, you’ll want to apply the p=quarantine or p=reject DMARC policy to protect your domain.
But before you do it, verify the DNS settings for your legal sources and make sure SPF and DKIM are set up correctly to pass DMARC. Otherwise, you risk losing legitimate messages by sending them to Spam or blocking them before they even reach the recipient’s mailbox.