How do you analyze a dmarc report? Step-by-Step Guide
What DMARC Does
DMARC (Domain-based Message Authentication Reporting and Conformance) is an email validation system that helps protect your email domain from being used for sending phishing emails, scams, and other spam.
DMARC is built upon two existing email authentication technologies that are used to associate a piece of email with a domain: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). DMARC reinforces email authentication created by SPF and DKIM and provides the strongest way of email domain protection.
Another good thing DMARC gives is reporting. After you publish a DMARC record in your domain DNS, you will get the information about all the sources which are sending emails on behalf of your domain.
The information given by DMARC comes as feedback reports generated by organizations that process incoming emails. By analyzing these reports, you can identify all your email streams, determine illegal sources and make sure that all legal sources pass email authentication checks.
How to Use GlockApps DMARC Inspector
Step 1. Add Domain.
Login to your account with GlockApps.
Navigate to DMARC Inspector -> Add Domain at the left side.
Activate your DMARC Inspector trial if you haven’t done it yet.
After you activate the DMARC Inspector, you will see a field to add your domain.
Enter the domain and click “Next.”
Step 2. Select a DMARC Policy.
The DMARC policy tells the email receiver what to do when an email message fails DMARC authentication. The following policies are available:
Monitor (none) – no action is applied to an email if it fails the DMARC authentication. This is the monitoring mode only that senders can use to collect the information about their email sources.
Quarantine – an email is sent to the Spam folder if it fails the DMARC authentication.
Reject – an email is rejected and is never delivered if it fails the DMARC authentication.
We recommend to start with the “none” policy to get DMARC reports and analyze email sources sending from your domain.
If you want to use a different policy for subdomains, choose “Yes” and select a policy different from the one you set for your domain.
Step 3. Publish a DMARC Record to DNS.
DMARC record is a TXT record published to the DNS for your domain, under _dmarc.yourdomain.com, where “yourdomain.com” is replaced with your actual domain (or subdomain). It tells the email receiver how to handle emails that fail DMARC authentication and where to send DMARC reports.
To publish a DMARC record to DNS:
Log in to your DNS management console.
Navigate to the domain where you’ll be publishing a DMARC record.
Most DNS management consoles will ask for:
Hostname: this should be _dmarc. NOTE: the leading “underbar” character is required!
Resource type: this is TXT, as DMARC records are published in the DNS as TXT resources.
Value: this is the DMARC record itself.
Example: v=DMARC1; p=none; rua=mailto:email@example.com; ruf=mailto:firstname.lastname@example.org; fo=1;
Save and you’re done.
If you have multiple sending domains and want to get DMARC reports for all of them, repeat the process for each domain.
Once you’ve published a DMARC record, DMARC data will typically begin to generate within a day or two in the form of reports that give you insight into which sources are sending emails from your domain.
Step 4. Analyze DMARC Reports.
What do DMARC reports actually tell you?
DMARC data gives you visibility into your internal email program and allows you to:
1. Inspect your sending sources.
DMARC reports will show you all the domains and IP addresses you’re using to send emails. As sender reputation is becoming increasingly relevant, it’s incredibly important to have full visibility into all your outbound email sources.
2. Monitor email authentication.
You can see if any of your mail senders is failing SPF, DKIM and DMARC authentication.
3. Detect unauthorized use of your domains.
You can determine if there are any unauthorized third parties sending emails using your domains.
DMARC can send 2 types of reports upon request: aggregate reports and forensic reports.
The type of the reports that will be sent to the domain owner is indicated in the DMARC record: rua= stands for aggregate reports and ruf= stands for forensic reports.
The GlockApps DMARC Inspector generates a DMARC record to receive both types of reports.
Example: rua=mailto:email@example.com; ruf=mailto:firstname.lastname@example.org;
In the GlockApps DMARC Inspector, the reports are presented under the Aggregate Reports and Forensic Reports tab.
Aggregate reports provide valuable visibility into the health of your email sending infrastructure and help you detect authentication issues and/or malicious activity.
These reports are sent in the XML format and can be difficult for you to read and understand. The GlockApps DMARC Inspector processes aggregate reports and presents the information to the user in the format of a table where they can see all mail sources sending on behalf of the domain and percentages of the messages with SPF, DKIM and DMARC pass/fail.
The picture below represents an example of the processed aggregate report in the GlockApps DMARC Inspector where
DOMAIN – the domains where you published a DMARC record to collect DMARC data.
POLICY – the policy applied to non-compliant messages used in your DMARC record for the domain.
COMPLIANCE – the percentage of DMARC compliant messages sent from the domain for the chosen period.
SOURCES – the number of sources (IP addresses) sending emails from the domain.
DMARC PASS – the number of DMARC compliant messages sent from the domain for the chosen period.
DMARC FAIL – the number of DMARC non-compliant messages sent from the domain for the chosen period.
SPF FAIL – the number of the messages with failed SPF sent from the domain for the chosen period.
DKIM FAIL – the number of the messages with failed DKIM sent from the domain for the chosen period.
FORWARD – the number of the email messages sent from the domain and then forwarded for the chosen period.
UNKNOWN – the number of source IP addresses that have sent emails for your domain, but have missed an SPF record or DKIM signature for your domain.
TOTAL – the total number of the email messages sent from the domain for the chosen period.
Click on the domain name to see all the IP addresses sending on behalf of the domain.
The report shows the sending IP address and host name, the DMARC, SPF, DKIM check (aligned/pass/fail), the applied DMARC policy, and the total number of emails sent by the host.
You can group the data by the sending IP, organization, host, or reporter.
If you see an unusually hign number of sending sources, investigate the report to identify malicious senders.
Your authorized IP addresses are shown by the green color. Unauthorized IP are shown by the grey color. GlockApps performs a DNS-based check to determine authorized and unauthorized sending IP for the domain.
The main purpose of analyzing aggregate reports is to identify legitimate email sources which failed SPF or DKIM check that are part of your sending infrastructure.
After you identify those legitimate senders which fail authentication checks, update your SPF/DKIM settings so that emails from them pass authentication next time.
And you’ll want to remove the hosts that are not supposed to send emails from your domain but are passing authentication if you see any.
If you already have a DMARC report, you can upload it in GlockApps and our tool will parse it for you. You can uploiad a report in the .zip, .gz, and .gzip formats.
DMARC forensic reports are generated by email service providers almost immediately after an email message fails DMARC authentication check.
A forensic report provides information about individual messages that didn’t pass authentication including the message Subject, source IP, reported domain, From and To email addresses, sending date, and failed authentication method.
Move to Quarantine and Reject Mode
In the quarantine mode (p=quarantine), an email message that fails DMARC authentication is moved to the spam folder.
You can consider switching from the monitoring p=none policy to the p=quarantine policy in 3-4 weeks if you find everyting fine and if all your legitimate senders pass email authentication checks.
Then if everything goes fine for 2-3 months, you can consider moving to the Reject mode.
In the reject mode, an email message that fails DMARC authentication is rejected and is never delivered. It’s the hardest action applied to emails that fail authentication and provides full email protection against spoofing.