This article is intended for customers using the paid version of our product, Enforce. Monitor customers using our free product should review our Getting Started articles as the UI may differ slightly for their accounts.
DMARC and Report Types
DMARC allows domain owners to specify which email systems are allowed to send emails on their behalf. DMARC allows the domain owner to specify a policy that dictates what happens with emails that are not explicitly allowed. These policies are applied by the receiver of the emails. One of the DMARC policy options is “p=none” which allows domain owners to monitor the domain’s email traffic and gather important information before blocking non-authorized emails. Adding a DMARC record to your DNS with a policy of “p=none” will not impact your existing email flows in any way. All emails that are currently being delivered (both legitimate and non-legitimate) will continue to be delivered.
DMARC includes a reporting component that shows which systems are sending emails as your domain. There are two types of reports, aggregate reports, and failure reports.
Failure Reports
Valimail does not collect failure reports. These types of reports may reveal personally identifiable information (PII) and for that reason, most email receivers do not send them.
Aggregate Reports
DMARC aggregate reports are sent by email receivers around the world once per day, per receiver. Not all email receivers send DMARC reports but most of the world’s largest receivers do. For example, Google, Yahoo! AOL, Mail.ru, and Seznam all send DMARC aggregate reports.
DMARC reports are only sent for domains that have DMARC records that specify a recipient for the aggregate reports. The DMARC data includes information on emails seen by the receiver and where the “From:” address is the domain that has the DMARC record.
DMARC aggregate reports are designed to contain no personal data or PII. The data contained in these reports is GDPR (General Data Protection Regulation) compliant. The reports are XML documents that are emailed as attachments to the recipient(s) specified in the DMARC record. They contain the following information:
IP of servers sending emails
DNS name of the sending server
Email authentication status (SPF/DKIM/DMARC)
DKIM key information
Authentication Report Page
Valimail’s world-class sender identification technology analyzes DMARC aggregate report data and presents it in an easy to understand form.
The chart at the top part of the “Authentication Report” page represents the DMARC aggregate report data collected over the previous 7 days.
The domain name
DMARC reporting categories:
DMARC: Displays the numbers of emails passing and failing DMARC
Aligned SPF: the number of emails that were SPF aligned and those that were not aligned
Aligned DKIM: the number of emails that were DKIM aligned and those that were not aligned
Disposition: the disposition of emails based on your existing DMARC policy
Date Picker. By default, the authentication report will show the last 7 days, but you can adjust the date picker to go as far back as 6 months (if there is data from that period)
By default, this chart will display the number of emails passing and failing DMARC
The bottom half of the “Authentication Report” consists mainly of a list of known services that have been seen sending on behalf of the domain in question.
DMARC Authentication: the number of emails passing and failing DMARC, as well as the pass rate for SPF, DKIM, and DMARC override.
Mostly Passing: services that have a DMARC pass rate higher than 95%.
Partially Passing: services that have a DMARC pass rate between 50% - 95%.
Mostly Failing: services with a DMARC pass rate below 50%.
Unidentified Senders: we could not determine the services that sent the messages in this category. The message may have been transmitted in a way that makes it impossible to conclusively determine its origin, the service may not be in our catalog, or the message may be fraudulent.
Internal Sources: messages in this category are originating from systems managed by your organization.
Click on one of the known services in the “Authentication Report” to see a detailed report for that particular service.
DMARC Authentication: % of emails passing DMARC, SPF, and DKIM as well as the emails passing with a DMARC override and the emails failing DMARC.
Direct vs. Forwarded
SPF Domains: a list of all the aligned SPF domains this service is using. If the service is not sending SPF aligned email, you can see it here
DKIM keys associated with this service. Click on “Add DKIM Key” to add a new key
Forwarders: emails that are sent to one email address but then automatically forwarded by one of these services to another email address. This is different from a recipient of an email manually forwarding this to someone else.
Next to the DMARC authentication tab, you will see another tab called Source IPS: This contains detailed information from the aggregate reports that pertain to that specific sender:
- Message Count: Shows the message volume
- Source IP: Shows what is the Source IP of the messages
- PTR Name: This is the Pointer Name for the IP in question
- Header From: This is also called the Friendly From and it is the actual visible sending domain. This does not need to match the org domain. It can also be a subdomain of that. (eg: subdomain.techco.example)
- SPF Domain: This is also called the return path and is only visible in the email header or aggregate report. It is important for knowing if an email is SPF-aligned or not.
- DMARC Result: This tells us if the email passed or failed DMARC authentication
- SPF result: This is a combined report for SPF pass and SPF alignment. It will only show a Pass if the source IP is part of the SPF record of the SPF domain and if the SPF domain is aligned with the Header From domain
- DKIM result: This is a combined report for DKIM pass and DKIM alignment. It will only show a pass if the email is DKIM signed and the DKIM signing domain is aligned with the Header From domain.
FYI: The Source IPS section is not available on all Valimail Enforce Packages. If you wish to take advantage of this feature please contact us.