Badsender

What is behind a DMARC report?

published on ,
updated on

Last February, I told you about the implementation of DMARC. In this second article, we will see what is behind a DMARC report through some questions. The aim of this series of articles is to help you - if you haven't already done so - to better protect your domain names with DMARC!

DMARC in three bullet points...

I'll make it short and simple: "DMARC" is an e-mail authentication standard that will rely on SPF & DKIM records. It will allow any advertiser who implements it to :

  • Enforce SPF & DKIM limitations by applying a security rule in case of SPF & DKIM failure on the sending domain.
  • Limit spam and phishing on your entire infrastructure (main domain & subdomains) thanks to reports provided by various organizations.
  • Make all e-mail flows compliant to improve their legitimacy.

The only constraint of DMARC today is that all the organizations (Fai, Webmails, Anti-Spam Filters, etc.) do not interpret it!

A DMARC report... What is it?

First of all, to receive DMARC reports, you will have to configure an e-mail address in the "rua" tag.

v=DMARC1; p=none; rua=mailto:zc1cbjad@ag.dmarcian.eu, mailto:dmarc_agg@dmarc.250ok.net,mailto:dmarc_agg@lepatron.email;

Note: If you want to receive all the reports, you will have to choose an e-mail address of your sending domain (e.g. dmarc-rua@badsender.com for the domain name badsender.com). Otherwise, you will need to create a DMARC record (v=DMARC1;) on the domain external to your sending domain.

Once DMARC is in place, you will receive (depending on your settings), the activity results recorded on your sender domain. By this I mean the authentication results of your email campaigns but also third party activities - both legitimate and malicious.

This DMARC report is sent in ARF format (see attached). The file will be zipped and will contain the report in XML format.

DMARC report received from Google
DMARC report received from Google

Who sends these DMARC reports?

As I said before, the reports are sent by any organization that knows how to interpret DMARC and is able to send these famous reports.

Here is a list (not exhaustive) of the organizations for which we have received a report since January 1, 2021 (on 2 monitored domains):

OrganizationOrganizationZip format
ADPSoftware.GZ
BelgacomHost.GZ
BNP ParibasBank.GZ
BPCEBank.GZ
Caisse des DépôtsFinance.GZ
CiscoSecurity.GZ
DienneaTechnologies.ZIP
GoogleWebmail.ZIP
Casino GroupDistribution.GZ
InfomaniakHost.ZIP
La PosteWebmail.GZ
LinkedInSocial.GZ
Mail.ruWebmail.GZ
OC3 NetworkHost.GZ
PanalpinaLogistics.GZ
RackspaceHost.ZIP
SfrWebmail.GZ
SpamtitanSecurity.GZ
Strasbourg.euCommunity.GZ
TelusTelecommunications.GZ
YahooWebmail.GZ
ZerospamSecurity.GZ
ZohoHost.GZ
Listing of organizations sending DMARC reports

As you can see, the panel of companies is large and this is only a small proportion of what there may be as an organization returning DMARC-related information.

A DMARC report from the inside!!!

It's all very well to give you a lot of information about DMARC but I forgot the main thing... What information can be found in these famous reports ???

I'm going to break down a DMARC report we received from Gmail:

Structure of a report

A DMARC report is a file XML. You will find in this metadata all the authentication information related to your sender domain (and subdomains if it is placed on the root domain). This file is divided into 3 main sections:

  • report_metadata" tag
  • policy_published" tag
  • Record" tag.

The "record" tag is the most important since it will contain all the authentication results. 1 record = 1 result, so the more records you have in your file, the more authentication results you will have to analyze! If you are a big sender, I strongly advise you to use a DMARC monitoring solution.

Need help?

Reading content isn't everything. The best way is to talk to us.


*spoil* >> I'm planning several articles in June about different solutions... But shhhh!

The "report_metadata" tag

Content of the report_metadata tag of a DMARC report
Content of the report_metadata tag of a DMARC report

In this first section, you will find all the information related to the DMARC report:

  • : The organization that provides the DMARC report.
  • : The email address that sends the DMARC report.
  • : A link to the support page on DMARC.
  • : The ID of the DMARC report.
  • : The analysis period of the report. In our example (once transformed), the analysis period is from 11/01/2021 00:00 to 11/01/2021 23:59 GMT.

The "policy_published" tag

Content of the policy tag in a DMARC report
Content of the policy tag in a DMARC report

In this second section, you will find all the information related to your DMARC policy:

  • : Indicates the name of the domain (or subdomain) where DMARC is placed.
  • : Indicates DKIM alignment => "r" (relaxed=soft) & "s" (strict=strict).
  • : Indicates SPF alignment => "r" (relaxed=soft) & "s" (strict=strict).
  • <p> Indicates the DMARC policy of the domain where "p" is set =&gt; "none" (i.e. no action), "quarantine" (i.e. put in spam), reject (i.e. e-mail blocked).
  • : Indicates the DMARC policy of the subdomains of the domain where "p" is set => "none" (cf. no action), "quarantine" (cf. put in spam), reject (cf. blocked email).
  • : Specifies the percentage of emails on which the DMARC rule should apply.

The "record" tag

Content of a record tag in a DMARC report
Content of a record tag in a DMARC report

In this third section, you will find all the information related to the authentication results. This section is divided into three sub-sections:

    • : Indicates the IP that was used to send the email.
    • : Indicates the number of emails received with this IP.
      • : Indicates the DMARC policy.
      • : Indicates the authentication result for DKIM.
      • : Indicates the authentication result for SPF.
    • : Indicates the domain that is used in the sending address.
      • : Indicates the domain signed with DKIM.
      • : Indicates the DKIM authentication result.
      • : Indicates the selector for the DKIM key.
      • : Indicates the domain signed with SPF.
      • : Indicates the SPF authentication result.

Note: It is possible (as in the example) that a sending domain has multiple DKIM keys. Note that all DKIM keys will then be parsed in the subsection.

Conclusion...

That's it, the appetizer is over. The objective here was really to show you the inside of a DMARC report (done) before diving directly into the heart of DMARC, namely the data analysis.

So, we will see in the next article how to interpret DMARC report data! You'll see, it's super exciting... Or not 😉

Need help deploying DMARC? Find the most suitable DMARC monitoring solution? Monitor your DMARC data? Do not hesitate to contact us...

Discover our Coaching offers

—–

Our latest content on DMARC :

And on other email authentication systems:

Support the "Email Expiration Date"

Brevo and Cofidis financially support the project. Join the movement and together, let's make the email industry take responsibility for the climate emergency.

I want to know more

Share

Stay informed with Badsender newsletters

Every month, we publish a newsletter on email marketing and an infoletter on sobriety and marketing. Read more.

Your email address will never be communicated to a third party. You can unsubscribe at any time with a single click.

The author

Sébastien Fischer Avatar
Sébastien Fischer
Sébastien is the main deliverability expert on the Badsender team. He has been working on the subject for over 10 years, and has spent his entire career with routers including Emailvision, Adobe Campaign and Cabestan.
All publications by Sébastien Fischer
Previous
Next

5 responses

  1. Alex Avatar
    Alex

    Hello, it's very interesting but could you explain if in an xml file received the record could indicate that a person (identifiable by his IP) has simply requested an online form that uses the MAIL function (php for example) or the SMTP parameters of our server?

  2. Sébastien Fischer Avatar
    Sébastien Fischer

    Hello Alex,
    DMARC reports only contain data from domains/subdomains where the DMARC record is placed, regardless of the system used to send the emails (outlook client, an Email Service Provider, an online form, etc.). Unfortunately, the IP you would retrieve is the IP of the form (not the IP of the person) provided that your domain/subdomain is set to the said form. If you want to retrieve the person's IP, you would have to record the information at the time they submit the form.
    Kind regards,
    Sebastien.

  3. Sunil Suresh Avatar
    Sunil Suresh

    Hi,

    Thanks for your informative article.

    I need some help with DMARC reports. Though my SPF record lists the correct IP addresses, the under policy_evlauated is always coming as failed.

    For example:
    104.160.64.86
    1

    none
    pass
    fail

    I've included ip4:104.160.64.86 in my spf record, but still the reports show it as "fail".

    Would you have any idea why this happens?

    Regards,
    Sunil

  4. Sunil Suresh Avatar
    Sunil Suresh

    Hi,

    **The tags disappeared in my previous message, so I am repeating it here with the tag details**

    I need some help with DMARC reports. Though my SPF record lists the correct IP addresses, the under policy_evlauated is always coming as failed.

    For example:
    [source_ip] 34.195.253.204 [/source_ip]
    [count] 1 [/count]
    [policy_evaluated]
    [disposition] none [/disposition]
    [dkim] pass [/dkim]
    [spf] fail [/spf]
    [/policy_evaluated]

    I've included ip4:104.160.64.86 in my spf record, but still the reports show it as "fail".

    Would you have any idea why this happens? I've done lots of searches but I could find no information on why this is happening.

    Regards,
    Sunil

  5. Sébastien Fischer Avatar
    Sébastien Fischer

    Hello Sunil,

    To respect the DMARC compliance, you need to have: A SPF record (based on your return-path domain) must be valid and aligned with your sender domain or a DKIM record (based on your domain signed d=) must be valid and aligned with your sender domain. If you don't respect this, the DMARC policy will apply!
    If your DMARC compliance is fail, you could verify if your alignments are correct.
    Example: If your sender domain is badsender.com, your SPF domain - to be valid and aligned - must be badsender.com or a sub-domain of badsender.com. For DKIM, this is the same way: if your sender domain is badsender.com, your DKIM signature - to be valid and aligned - must be made in badsender.com or a sub-domain of badsender.com

    The majority of DMARC compliance issues come from forgetting an IP or misaligned domains.

    Cheers,
    Sebastien.

Leave a Reply

Your email address will not be published. Required fields are marked *