Last February, I told you about the implementation of DMARC. In this second article, we will see what is behind a DMARC report through some questions. The aim of this series of articles is to help you - if you haven't already done so - to better protect your domain names with DMARC!
DMARC in three bullet points...
I'll make it short and simple: "DMARC" is an e-mail authentication standard that will rely on SPF & DKIM records. It will allow any advertiser who implements it to :
- Enforce SPF & DKIM limitations by applying a security rule in case of SPF & DKIM failure on the sending domain.
- Limit spam and phishing on your entire infrastructure (main domain & subdomains) thanks to reports provided by various organizations.
- Make all e-mail flows compliant to improve their legitimacy.
The only constraint of DMARC today is that all the organizations (Fai, Webmails, Anti-Spam Filters, etc.) do not interpret it!
A DMARC report... What is it?
First of all, to receive DMARC reports, you will have to configure an e-mail address in the "rua" tag.
v=DMARC1; p=none; rua=mailto:email@example.com, mailto:firstname.lastname@example.org,mailto:email@example.com;
Note: If you want to receive all the reports, you will have to choose an e-mail address of your sending domain (e.g. firstname.lastname@example.org for the domain name badsender.com). Otherwise, you will need to create a DMARC record (v=DMARC1;) on the domain external to your sending domain.
Once DMARC is in place, you will receive (depending on your settings), the activity results recorded on your sender domain. By this I mean the authentication results of your email campaigns but also third party activities - both legitimate and malicious.
This DMARC report is sent in ARF format (see attached). The file will be zipped and will contain the report in XML format.
Who sends these DMARC reports?
As I said before, the reports are sent by any organization that knows how to interpret DMARC and is able to send these famous reports.
Here is a list (not exhaustive) of the organizations for which we have received a report since January 1, 2021 (on 2 monitored domains):
|Caisse des Dépôts||Finance||.GZ|
As you can see, the panel of companies is large and this is only a small proportion of what there may be as an organization returning DMARC-related information.
A DMARC report from the inside!!!
It's all very well to give you a lot of information about DMARC but I forgot the main thing... What information can be found in these famous reports ???
I'm going to break down a DMARC report we received from Gmail:
Structure of a report
A DMARC report is a file XML. You will find in this metadata all the authentication information related to your sender domain (and subdomains if it is placed on the root domain). This file is divided into 3 main sections:
- report_metadata" tag
- policy_published" tag
- Record" tag.
The "record" tag is the most important since it will contain all the authentication results. 1 record = 1 result, so the more records you have in your file, the more authentication results you will have to analyze! If you are a big sender, I strongly advise you to use a DMARC monitoring solution.
*spoil* >> I'm planning several articles in June about different solutions... But shhhh!
The "report_metadata" tag
In this first section, you will find all the information related to the DMARC report:
- : The organization that provides the DMARC report.
- : The email address that sends the DMARC report.
- : A link to the support page on DMARC.
- : The ID of the DMARC report.
- : The analysis period of the report. In our example (once transformed), the analysis period is from 11/01/2021 00:00 to 11/01/2021 23:59 GMT.
The "policy_published" tag
In this second section, you will find all the information related to your DMARC policy:
- : Indicates the name of the domain (or subdomain) where DMARC is placed.
- : Indicates DKIM alignment => "r" (relaxed=soft) & "s" (strict=strict).
- : Indicates SPF alignment => "r" (relaxed=soft) & "s" (strict=strict).
- <p> Indicates the DMARC policy of the domain where "p" is set => "none" (i.e. no action), "quarantine" (i.e. put in spam), reject (i.e. e-mail blocked).
- : Indicates the DMARC policy of the subdomains of the domain where "p" is set => "none" (cf. no action), "quarantine" (cf. put in spam), reject (cf. blocked email).
- : Specifies the percentage of emails on which the DMARC rule should apply.
The "record" tag
In this third section, you will find all the information related to the authentication results. This section is divided into three sub-sections:
- : Indicates the IP that was used to send the email.
- : Indicates the number of emails received with this IP.
- : Indicates the DMARC policy.
- : Indicates the authentication result for DKIM.
- : Indicates the authentication result for SPF.
- : Indicates the domain signed with DKIM.
- : Indicates the DKIM authentication result.
- : Indicates the selector for the DKIM key.
- : Indicates the domain signed with SPF.
- : Indicates the SPF authentication result.
Note: It is possible (as in the example) that a sending domain has multiple DKIM keys. Note that all DKIM keys will then be parsed in the subsection.
That's it, the appetizer is over. The objective here was really to show you the inside of a DMARC report (done) before diving directly into the heart of DMARC, namely the data analysis.
So, we will see in the next article how to interpret DMARC report data! You'll see, it's super exciting... Or not 😉
Need help deploying DMARC? Find the most suitable DMARC monitoring solution? Monitor your DMARC data? Do not hesitate to contact us...
Our latest content on DMARC :
- 16/05/2021 : Monito 2021 #05 | Monitoring DMARC Badsender.com - April 2021
- 09/04/2021 : Monito 2021 #04 | Monitoring DMARC Badsender.com - March 2021
- 05/03/2021 : Monito 2021 #03 | Monitoring DMARC Badsender.com - February 2021
- 12/02/2021 : Tech 2021 #01 | What if you deploy DMARC in 2021 on your domain name?
- 05/02/2021 : Monito 2021 #02 | Monitoring DMARC Badsender.com - January 2021
- 08/01/2021 : Monito 2021 #01 | Monitoring DMARC Badsender.com - December 2020
And on other email authentication systems:
- 12/10/2020 : What is DKIM? Configuration, verification and monitoring.
- 27/08/2020 : 10 tips to implement in your SPF configuration... ?
- 30/07/2020 : What is SPF? Configuration, verification and monitoring.