Page tree
Skip to end of metadata
Go to start of metadata
Contents

Problem

How can I receive DMARC reports and what is inside those reports?

Solution

A secondary functionality of DMARC enables ISPs to send reports about the authentication success or failure for a domain. Those reports are sent to the addresses defined in two switches:

  1. rua: aggregated reports
  2. ruf: forensic reports

Bot ruf and rua switch should contain a functional mailto-link where failure- and aggregated reports can be sent. It's important to receive, read and process those reports. The following example configures DMARC for all reporting, but reporting only:

Example
# host -t txt _dmarc.sub.domain.TLD
_dmarc.sub.domain.TLD descriptive text "v=DMARC1; p=none; rua=mailto:dmarc@mailmike.net; ruf=mailto:dmarc@mailmike.net;"

Forensic reports are very rare for 2 reasons:

  1. High volume: failure reports generate a single report for each individual mail that failed authentication.
  2. Privacy: Failure Reports are not compliant to GDPR. ARF Reports generally contain personal data, such as IPs.

It is generally recommended to refrain from setting a ruf-switch at all.

Sample reports

 Aggregated reports (rua)...
Message subject: Report Domain: sub.domain.tld Submitter: seznam.cz Report-ID: szn_sub.domain.tld-2020-10-05
This is a DMARC aggregate report for sub.domain.tld generated at Tue Oct  6 
12:20:12 2020
Attachment title: seznam.cz!sub.doman.tld!1601856000!1601942400.xml.zip
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
    <version>1.0</version>
    <report_metadata>
        <org_name>seznam.cz a.s.</org_name>
        <email>abuse@seznam.cz</email>
        <report_id>szn_sub.domain.tld-2020-10-05</report_id>
        <date_range>
            <begin>1601856000</begin>
            <end>1601942400</end>
        </date_range>
    </report_metadata>
    <policy_published>
        <domain>sub.domain.tld</domain>
        <adkim>r</adkim>
        <aspf>r</aspf>
        <p>reject</p>
        <pct>100</pct>
        <fo>0</fo>
    </policy_published>
    <record>
        <row>
            <source_ip>192.168.45.251</source_ip>
            <count>1</count>
            <policy_evaluated>
                <disposition>none</disposition>
                <dkim>pass</dkim>
                <spf>fail</spf>
            </policy_evaluated>
        </row>
        <identifiers>
            <header_from>sub.domain.tld</header_from>
        </identifiers>
        <auth_results>
             <dkim>
                <domain>sub.domain.tld</domain>
                <result>pass</result>
                <selector>key1</selector>
            </dkim>
             <spf>
                <domain>sub.domain.tld</domain>
                <scope>mfrom</scope>
                <result>none</result>
            </spf>
        </auth_results>
    </record>
</feedback>
 Failure reports (ruf)...
Message subject: Hello, this is an E-Mail
This is an authentication failure report for an email message received from IP
192.168.56.250 on Sun, 27 Sep 2020 03:39:32 +0000 (UTC).
Mesage attachment (anonymised header): Hello, this is an E-Mail.eml
From: Sender Name <sender@sub.domain.tld>
To: "Recipient Name" <recipient@recipient-domain.tld>
Subject: Hello, this is an E-Mail
Thread-Topic: Hello, this is an E-Mail
Thread-Index: AQFGASF/WSDFHLkjx2cAw==
Date: Sun, 27 Sep 2020 03:39:30 +0000
Message-ID:
 <re-pfagaFDSAGoxrdsUBADFHHHHfj-43RCSDF0H-43SDFH3J-11N6PS2@sub.domain.tld>
List-Unsubscribe:
 <mailto:listoff-43RCSDF0H-43SDFH3J-11N6PS2@sub.domain.tld?subject=unsubscribe>,<https://sub.domain.tld/unsub/43RCQ70H-WRZREQZ-3Z3QHKMC>
Reply-To: Investor Verlag <info@sub.domain.tld>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
X-MS-Exchange-Organization-RecordReviewCfmType: 0
x-virus-scanned: clamav-milter 0.102.4 at sub.mailserver.tld
dkim-signature: v=1; a=rsa-sha256; c=relaxed; s=mailing; d=srv2.de;
 h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:X-ulpe:
 List-Id:X-CSA-Complaints:List-Unsubscribe:List-Unsubscribe-Post:Feedback-ID;
 bh=eEkSDFHSDFHSDFHSDFHF+GzcqDcAJ8jA2x54=;
 b=CsHY6glSORlpWNmugQEB7W/8K2dSDFHSDFHSiAy+lh8+R5oXxEHDr0V/Wk190GLrGTGm
   wQPem3sd4Kiiz6b6OTJ3uoA641TSDFHDFHSDGHSDHqKp2LBJfXW2zNzShBhMjqWfuQcvnh0sT+7
   GZvwCr3W9s/3+/o/iAE=
list-id: <WTZDAFGFH-9XPF7U.sub.domain.tld>
x-csa-complaints: whitelist-complaints@eco.de
x-spam-status: No score=-0.6 tagged_above=3.0 required=5.0
 tests=[BAYES_00,DKIMWL_WL_MED,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_COMMENT_SAVED_URL,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,SPF_HELO_PASS,SPF_PASS]
authentication-results: mx.mailserver.tld;	dkim=pass (1024-bit key;
 unprotected) header.d=sub.domain.tld header.i=sender@sub.domain.tld
 header.b="M/TPByIK";	dkim=pass (1024-bit key; unprotected) header.d=srv2.de
 header.i=@srv2.de header.b="CsHY6glS";	dkim-atps=neutral
x-ulpe: re-pfagaFDSAGoxrdsUBADFHHHHfj-43RCSDF0H-43SDFH3J-11N6PS2@sub.domain.tld
x-spam-score: -0.6
feedback-id: WTZDAFGFH:WRZREQZ:esp
x-spam-flag: NO
x-report-spam: complaints@esp.com
list-unsubscribe-post: List-Unsubscribe=One-Click
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0



Account

Support

Website