Email Security

    A Guide to DMARC Reports and How to Read Them
     

    Reading and analyzing DMARC reports can provide insights into email behavior to help organizations improve their email protections and deliverability

    by Bob Adams

    Key Points

    • DMARC reports provide valuable information about the emails sent from a domain and enable organizations to monitor their domain usage in email communications and take action to protect it. 
    • There are two types of DMARC reports: aggregate reports which provide a summary of results for a given time period, as well as forensic failure reports which give detailed information on specific messages that failed evaluation. 
    • Organizations should read and analyze these DMARC Reports regularly in order to gain insights into their email behavior, make changes to settings where necessary, and ensure the security of their communication channels.

    Organizations that regularly use email marketing tools are likely to already be familiar with DMARC reporting. However, understanding domain-based message authentication can also help any organization improve cybersecurity programs by protecting email domains from malicious use by cybercriminals.

    Here, we answer your questions on what a DMARC report is, how to read the different types of DMARC reports, and cover some best-practice email domain management tools and techniques.

    What Is DMARC?

    Domain-based message authentication, reporting, and conformance (DMARC) is an email authentication protocol that provides a way for email domain owners to protect their domains from unauthorized use, also known as email spoofing. It is built upon two other email authentication protocols, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), that when combined, provide a more robust defense against email spoofing.

    It is perhaps best known to those who engage in email marketing, as marketers need to ensure that their emails are properly authenticated with DMARC to avoid them being marked as spam or rejected by recipient mail servers. Additionally, DMARC can also affect email deliverability, as some email providers may block or filter emails that do not pass DMARC evaluation.

    For these reasons, it’s important for email marketers to understand how DMARC works and ensure that email-sending infrastructures are configured correctly to meet DMARC requirements. This can help improve email deliverability and protect the brand reputation of the domain being used for email marketing.

    What Are DMARC Reports?

    A DMARC report is a document that is generated and sent by a receiving mail server to the domain owner. These reports provide valuable information about the email traffic sent from a domain, including the percentage of emails that passed or failed DMARC evaluation, the sources of the emails, and other relevant details.

    The purpose of DMARC reports is to allow domain owners to monitor the use of their domain in email communications and to take action to protect their domain from unauthorized use, also known as email spoofing. DMARC reports are an essential tool for domain owners who want to protect their brand, secure their email communications, and maintain the integrity of their email domain.

    Types of DMARC Reports

    Aggregate Reports

    These reports provide a summary of DMARC evaluation results for a specific time period, including the total number of emails received, the percentage of emails that passed or failed DMARC evaluation, and a breakdown of the sources of the emails. Aggregate reports are generated on a regular basis, typically daily or weekly, and provide a high-level view of the email traffic sent from a domain. 

    Failure Reports

    A DMARC failure report is generated by a receiving mail server whenever an email fails DMARC evaluation. This report provides information about the email, including the reasons why the email failed and any relevant information, such as the email message headers, the SPF and DKIM authentication results, and other relevant information. DMARC failure reports also provide the ability to see the email body, which can give domain owners insight into the emails being sent from their domain – whether from shadow IT or a malicious actor.

    The purpose of a DMARC failure report is to allow domain owners to diagnose and resolve issues with DMARC evaluation and to take action to protect their domain from unauthorized use. By regularly reviewing DMARC failure reports and making changes to their DMARC policy as needed, domain owners can ensure that their domain is protected and their email communications are secure.

    How to Read and Analyze DMARC Reports 

    Reading and analyzing DMARC reports can seem intimidating, but with the right information and a user-friendly DMARC Analyzer, it can be a straightforward process. The following steps can help you read and analyze DMARC reports in order to gain valuable insights into email behavior and make the relevant changes to your settings:

    • Obtain DMARC reports: The first step in reading and analyzing DMARC reports is to obtain reports from your email service provider or a DMARC reporting service. Some email service providers will automatically generate and send DMARC reports to domain owners, while others may require you to set up this feature manually.
    • Review the aggregate reports: Start by reviewing the aggregate reports, which provide a high-level view of the email traffic sent from your domain. Look for patterns in the data, such as the percentage of emails that passed or failed DMARC evaluation, the sources of the emails, and any other relevant information. Pay particular attention to any sources of emails that are failing DMARC evaluation, as this may indicate an issue with your DMARC policy or email-sending infrastructure.
    • Analyze the forensic reports: If you need more detailed information about specific email messages that have failed DMARC evaluation, you can review the forensic reports. These reports provide information about the specific email message, including the email message headers, the SPF and DKIM authentication results, and other relevant information. Use this information to diagnose and resolve issues with DMARC evaluation.
    • Make changes to your DMARC policy: Based on your analysis of the DMARC reports, make changes to your policy as needed. This may include modifying your DKIM or SPF records, adjusting your DMARC policy to be more restrictive or less restrictive, or taking other actions to improve your DMARC evaluation results.
    • Continuously monitor and adjust: DMARC reports are generated on a regular basis, so it's important to continuously monitor and adjust your DMARC policy as needed. This will help ensure that your domain is protected and your email communications are secure.

    DMARC Best Practices

    When using DMARC reporting and configuring your infrastructure accordingly, there is a range of best practices that can ensure your email runs optimally and remains protected. These include:

    • Start with a relaxed policy: When implementing DMARC, it's a good idea to start with a relaxed policy and gradually tighten it over time as you gain more experience and confidence. This will help minimize the risk of false positives and ensure that your email communications are not disrupted during the implementation process.
    • Implement SPF and DKIM: DMARC relies on the use of SPF and DKIM for email authentication, so it's important to implement both technologies in your email infrastructure. This will help ensure that your DMARC evaluation results are accurate and that your domain is protected from email spoofing.
    • Regularly monitor DMARC reports: Regularly monitoring DMARC reports is an essential part of implementing DMARC effectively. Use DMARC reports to monitor the use of your domain in email communications, identify any issues with your DMARC evaluation results, and make changes to your policy as needed.
    • Monitor email-sending infrastructure: In addition to monitoring DMARC reports, it's important to monitor your email-sending infrastructure to ensure that it is configured correctly and that your email communications are secure. This may include regularly checking your SPF and DKIM records, monitoring your email logs, and testing your email infrastructure to identify any issues.
    • Stay up to date: DMARC is an evolving technology, so it's important to stay up to date with the latest developments and best practices. This may include attending industry events, reading relevant articles and blogs, and participating in online forums and discussion groups.

    DMARC and Mimecast 

    Avoiding business email compromise is a key component of cybersecurity programs for organizations of any size, and Mimecast is well-placed to ensure that your email infrastructure is built to protect domains from email spoofing, phishing attacks, and much more.

    Our dedicated DMARC tools include DKIM Record Check, SPF Record Check, and the comprehensive DMARC Record Check, alongside forensic reporting, user-friendly aggregate reports, and enhanced two-factor authentication for robust security protocols. 

    In addition, we offer many other tools and services that can help you protect email infrastructure, and you network as a whole, making Mimecast the top choice for even the largest organizations.

    The Bottom Line

    DMARC reports play a crucial role in protecting organizations from email spoofing and phishing attacks. They also provide valuable information about the use of a domain in email communications and help organizations identify and resolve any issues with DMARC evaluation results.

    Regularly monitoring and analyzing DMARC reports is an essential part of implementing DMARC effectively, as it allows organizations to make informed decisions about their DMARC policy and take appropriate actions to protect their domains. 

    However, it's important to remember that DMARC is just one part of a comprehensive email security strategy. Organizations should also implement other technologies and strategies, such as SPF, DKIM, and email encryption, to ensure the security and integrity of their email communications.

    For more information on DMARC, SPF, and DKIM, contact a member of our team today to discuss your specific requirements and explore our resource center for more insights into today’s cybersecurity landscape.

     

     

    **This blog was originally published on June 1, 2023.

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top