How to decipher DMARC reports?
Deciphering DMARC reports is complex as it requires understanding the XML structure and key components within the report. You have to analyze the IP address and understand the failures. Here’s a step-by-step guide on how you can go about it.
Identify the report sections
The report section includes metadata and records. Metadata contains the date range covered by the report, the email provider generating the report, and the domain being reported. It shows the DMARC policy (none, quarantine, or reject) and the alignment modes for SPF and DKIM.
The records include detailed information about the authentication results for each IP address that sent emails on your behalf, including both authorized and unauthorized ones.
Review the DMARC policy applied
Look for the policy published section, which states the domain’s DMARC policy. This includes:
- p: Policy (none, quarantine, reject)
- sp: Subdomain policy
- adkim: DKIM alignment mode (strict or relaxed)
- aspf: SPF alignment mode (strict or relaxed)
Check the source IP addresses
See the ‘row’ section to identify the IP addresses that were used to send emails from your domain. The ‘count’ section tells the number of emails sent from the particular IP.
Analyze SPF and DKIM results
Go through all the emails sent from your domain and see if they passed or failed SPF and DKIM checks. Failed SPF results indicate that an unauthorized server or IP address was used to send an email from your domain. The DKIM results show if the signature was valid. An email needs to pass at least one of these protocols to pass DMARC.
Review alignment
DMARC requires alignment between the domain used in SPF/DKIM and the domain in the ‘From’ address. SPF alignment ensures that the domain in the SPF record matches the ‘From’ address, whereas DKIM alignment checks whether the domain in the DKIM signature matches the ‘From’ address.
Interpret actions taken
Go to the policy_evaluated section and check the ‘disposition’ field to see what action was taken on the email based on your DMARC policy:
- None– no action was taken.
- Quarantine– the message was placed in the spam folder.
- Reject– the message was rejected.
Look for failures
Any email that didn’t pass the DMARC check is potentially fraudulent, so pay extra attention to it. Ill-intended people send such messages to your customers, prospects, employees, shareholders, media, etc., to tarnish your business reputation, dupe them out of money, manipulate them into sharing sensitive details, etc.
Aggregate information
Please review the number of messages passed, the number of failed messages, and whether the failures are due to legitimate misconfigurations or malicious activity.
Final words
By analyzing these elements, you can detect misconfigurations and unauthorized senders and fine-tune your email authentication policies. However, we understand how all this can become overwhelming and resource-consuming. So, please feel free to reach out to us at DuoCircle for DMARC implementation, monitoring, and reporting-related services.