Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Panel
titleContents

Table of Contents
maxLevel2


Problem

How can I receive DMARC reports and what is inside those reports?

Solution

Excerpt

A secondary functionality of DMARC enables ISPs to send reports about the authentication success or failure for a domain. Those reports are sent to the addresses defined in two switches:

  1. rua: aggregated reports
  2. ruf: forensic reports

Bot ruf and rua switch should contain a functional mailto-link where failure- and aggregated reports can be sent. It's important to receive, read and process those reports. The following example configures DMARC for all reporting, but reporting only:

Code Block
titleExample
# host -t txt _dmarc.sub.domain.TLD
_dmarc.sub.domain.TLD descriptive text "v=DMARC1; p=none; rua=mailto:dmarc@mailmike.net; ruf=mailto:dmarc@mailmike.net;"


Info

Forensic reports are very rare for 2 reasons:

  1. High volume: failure reports generate a single report for each individual mail that failed authentication.
  2. Privacy: Failure Reports are not compliant to GDPR. ARF Reports generally contain personal data, such as IPs.

It is generally recommended to refrain from setting a ruf-switch at all.

Sample reports

Expand
titleAggregated reports (rua)...


Code Block
titleMessage subject: Report Domain: sub.domain.tld Submitter: seznam.cz Report-ID: szn_sub.domain.tld-2020-10-05
This is a DMARC aggregate report for sub.domain.tld generated at Tue Oct  6 
12:20:12 2020


Code Block
languagexml
titleAttachment title: seznam.cz!sub.doman.tld!1601856000!1601942400.xml.zip
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
    <version>1.0</version>
    <report_metadata>
        <org_name>seznam.cz a.s.</org_name>
        <email>abuse@seznam.cz</email>
        <report_id>szn_sub.domain.tld-2020-10-05</report_id>
        <date_range>
            <begin>1601856000</begin>
            <end>1601942400</end>
        </date_range>
    </report_metadata>
    <policy_published>
        <domain>sub.domain.tld</domain>
        <adkim>r</adkim>
        <aspf>r</aspf>
        <p>reject</p>
        <pct>100</pct>
        <fo>0</fo>
    </policy_published>
    <record>
        <row>
            <source_ip>192.168.45.251</source_ip>
            <count>1</count>
            <policy_evaluated>
                <disposition>none</disposition>
                <dkim>pass</dkim>
                <spf>fail</spf>
            </policy_evaluated>
        </row>
        <identifiers>
            <header_from>sub.domain.tld</header_from>
        </identifiers>
        <auth_results>
             <dkim>
                <domain>sub.domain.tld</domain>
                <result>pass</result>
                <selector>key1</selector>
            </dkim>
             <spf>
                <domain>sub.domain.tld</domain>
                <scope>mfrom</scope>
                <result>none</result>
            </spf>
        </auth_results>
    </record>
</feedback>



Expand
titleFailure reports (ruf)...


Code Block
titleMessage subject: Hello, this is an E-Mail
This is an authentication failure report for an email message received from IP
192.168.56.250 on Sun, 27 Sep 2020 03:39:32 +0000 (UTC).


Code Block
titleMesage attachment (anonymised header): Hello, this is an E-Mail.eml
From: Sender Name <sender@sub.domain.tld>
To: "Recipient Name" <recipient@recipient-domain.tld>
Subject: Hello, this is an E-Mail
Thread-Topic: Hello, this is an E-Mail
Thread-Index: AQFGASF/WSDFHLkjx2cAw==
Date: Sun, 27 Sep 2020 03:39:30 +0000
Message-ID:
 <re-pfagaFDSAGoxrdsUBADFHHHHfj-43RCSDF0H-43SDFH3J-11N6PS2@sub.domain.tld>
List-Unsubscribe:
 <mailto:listoff-43RCSDF0H-43SDFH3J-11N6PS2@sub.domain.tld?subject=unsubscribe>,<https://sub.domain.tld/unsub/43RCQ70H-WRZREQZ-3Z3QHKMC>
Reply-To: Investor Verlag <info@sub.domain.tld>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
X-MS-Exchange-Organization-RecordReviewCfmType: 0
x-virus-scanned: clamav-milter 0.102.4 at sub.mailserver.tld
dkim-signature: v=1; a=rsa-sha256; c=relaxed; s=mailing; d=srv2.de;
 h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:X-ulpe:
 List-Id:X-CSA-Complaints:List-Unsubscribe:List-Unsubscribe-Post:Feedback-ID;
 bh=eEkSDFHSDFHSDFHSDFHF+GzcqDcAJ8jA2x54=;
 b=CsHY6glSORlpWNmugQEB7W/8K2dSDFHSDFHSiAy+lh8+R5oXxEHDr0V/Wk190GLrGTGm
   wQPem3sd4Kiiz6b6OTJ3uoA641TSDFHDFHSDGHSDHqKp2LBJfXW2zNzShBhMjqWfuQcvnh0sT+7
   GZvwCr3W9s/3+/o/iAE=
list-id: <WTZDAFGFH-9XPF7U.sub.domain.tld>
x-csa-complaints: whitelist-complaints@eco.de
x-spam-status: No score=-0.6 tagged_above=3.0 required=5.0
 tests=[BAYES_00,DKIMWL_WL_MED,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_COMMENT_SAVED_URL,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,SPF_HELO_PASS,SPF_PASS]
authentication-results: mx.mailserver.tld;	dkim=pass (1024-bit key;
 unprotected) header.d=sub.domain.tld header.i=sender@sub.domain.tld
 header.b="M/TPByIK";	dkim=pass (1024-bit key; unprotected) header.d=srv2.de
 header.i=@srv2.de header.b="CsHY6glS";	dkim-atps=neutral
x-ulpe: re-pfagaFDSAGoxrdsUBADFHHHHfj-43RCSDF0H-43SDFH3J-11N6PS2@sub.domain.tld
x-spam-score: -0.6
feedback-id: WTZDAFGFH:WRZREQZ:esp
x-spam-flag: NO
x-report-spam: complaints@esp.com
list-unsubscribe-post: List-Unsubscribe=One-Click
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0



Content by Label
showLabelsfalse
max5
spacesKB
showSpacefalse
sortmodified
reversetrue
typepage
excludeCurrenttrue
cqllabel in ("ruf","rua","dmarc","configuration","reporting","aggregated","failure","report") and type = "page" and space = "KB"
labelsdmarc configuration reporting rua ruf aggregated failure report

Page properties
hiddentrue


Related issues




Inboxsys link back
Link2Login
TextAccount
LinkRegister

Inboxsys link back
Link2Book
TextSupport
LinkSupport

Inboxsys link back
Link2Resources
TextWebsite

...