What is DMARC Reporting?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) reporting provides detailed insights into emails sent using your domain. These reports help you monitor email authentication status and protect your domain from being used in phishing attacks or email spoofing.


Reading Your DMARC Reports

The DMARC reporting dashboard displays the following information:


Key Columns Explained

  • Date: When the email was received
  • Source IP: The server that sent the email
  • Organisation: The organization that received the email
  • SPF: The result of the SPF (Sender Policy Framework) check ("pass" or "fail")
  • DKIM: The result of the DKIM (DomainKeys Identified Mail) check ("pass" or "fail")
  • auth spf: Value is "1" if the SPF check was performed
  • auth dkim: Value is "1" if the DKIM check was performed


Understanding SPF Failures

An SPF "fail" result indicates that the sending server is not authorized in your SPF record to send emails on behalf of your domain. When you see an SPF failure, you should ask yourself:

  1. Do you recognize the IP address? Verify if the source IP is from one of your legitimate email servers.
  2. Should this server be allowed to send emails on behalf of your domain? If yes, and SPF consistently fails for this IP address, your SPF record needs to be updated to include this authorized server.
  3. Is this potentially unauthorized use of your domain? If the server should not be sending emails claiming to be from your domain, this could indicate spoofing or phishing attempts.


Understanding DKIM Failures

A DKIM "fail" result in your DMARC reports indicates that there was an issue with the DKIM signature. This could happen for several reasons:

  1. Missing DKIM Signature: The email was sent without a DKIM signature from a server claiming to be from your domain.
  2. Invalid Signature: The DKIM signature was present but couldn't be verified, potentially because:
    • The signature was malformed
    • The message content was modified after signing
    • The signature expired
    • The wrong key was used for verification
  3. Configuration Issues: Your DKIM keys might be improperly configured in DNS records.


Taking Action on DMARC Results

When SPF or DKIM Failures Occur:

  1. For legitimate servers: Update your SPF record to include all authorized email servers.
  2. For unauthorized use: Consider implementing stricter DMARC policies and potentially taking legal action if your domain is being misused repeatedly.


Maintaining Good Email Authentication:

  • Regularly review your DMARC reports
  • Ensure all legitimate email services are properly authorized
  • Monitor for unusual patterns or unknown source IPs


Best Practices

  • Review DMARC reports at least weekly
  • Keep SPF and DKIM records up to date as you add or change email services
  • Consider implementing a "quarantine" or "reject" DMARC policy once you've validated all legitimate email sources


By properly understanding and acting on DMARC reports, you can significantly improve your email security posture and reduce the risk of your domain being used in malicious activities.