The DMARC Analyzer Suite provides many email authentication results. The authentication results occur in multiple overviews within the DMARC Analyzer Suite, so it’s valuable to fully understand these results.
This article we will describe how DMARC Analyzer divides all collected authentication results into 8 different columns: Domain, Reason, Compliant?, Forwarded?, Volume, Applied Policy, DKIM Verification and SPF Verification. In addition , you might have noticed the ‘I’ information-icons, which give you a comprehensive guidance on how to improve the email authentication for that specific sending source.
The ‘Source’ column shows all sources which sent email on behalf of a domain. It provides information regarding the IP address(es) which are used to send the messages and the number of messages that are sent.
The ‘From Domain’ column shows the domain name which has been used to send the email.
The ‘Compliant’ column shows if the message was DMARC compliant or not.
The ‘Forwarded’ column shows if the message was automatically forwarded or not.
The ‘IP address’ column shows the IP-address that was used to send the email.
The ‘Reason’ column shows if the receiving party’s handled the message differently, than the enforced DMARC policy. In some cases the applied DMARC policy can be overruled. In the example above nothing changed.
In this example the reason is local policy arc=pass. This indicates that an ISP applied a certain ‘local policy’ to the messages, which results in a different DMARC policy then you would expect based on the DKIM and/or SPF data for that message.
In this example you can see that the source AmazonSES has sent an email on behalf of example.com. The IP address that was used to send the message is 18.104.22.168. The message was DMARC compliant and not forwarded.
By having a closer look into the provided results you can see that the email is DMARC compliant because of DKIM verification.
The ‘DKIM verification’ and ‘SPF verification’ columns shows the percentage of messages which had an ‘aligned’ DKIM signature and or SPF record. Meaning that the ‘sending’ domain which was used to create the DKIM signature, is equal to the “From’ domain. When you sign an email with a different ‘sending’ domain then the ‘from’ domain, this email will not be DMARC compliant. Click on a line to see more detailed data (including the used DKIM / SPF domains). In the example below there is DKIM alignment, but there is no SPF alignment.
After expanding the rows, the DKIM and SPF authentication results can be seen. Let’s start with DKIM verification: in the DKIM verification column there’s an aligned result and a not aligned result. The aligned – thisisyourselector – example.com shows 3 things. First an aligned result, this means that the ‘From’ domain (which can be found in the first column) matched with the DKIM domain. This can be checked by comparing example.com to the “From’ domain. The thisisyourselector is obviously the selector we received from the DMARC reporting organisation.
Next to DKIM verification, an email can be DMARC compliant because of SPF verification. In this example there’s no SPF verification. There was no SPF result, this is shown by the text: ‘not set’. Next to that the envelope from is missing. If there’s a valid SPF record, the envelope “From’ can be found here.
When a message is SPF compliant, the authentication results look like the example above. A message could also be not aligned. Then the SPF is valid, but there’s no alignment.
The information button is placed behind the source. This means that this source is added in the DMARC Analyzer library. By clicking on the button the documentation pop up. Here an organization can find how to set up DKIM and SPF.