Forensic DMARC reports explained

In order to receive DMARC forensic reports an organization needs to create a DMARC record and publish it into the DNS. After publishing a DMARC record it will be able to receive DMARC forensic reports from all ISP’s that are supporting DMARC. These forensic reports contain crucial information to secure an organization’s domains.

This article explains what DMARC forensic reports are, how to request these reports and what is included in these reports.

What is a DMARC forensic report?

The DMARC (Domain-based Message Authentication, Reporting and Conformance) aggregate reports contain information about the authentication status of SPF, DKIM and DMARC. The DMARC forensic reports include additional information like the subject line, header information (I.E. “To” and “From”), URLs included and attachment information.

DMARC forensic reports are generated by an ISP when the SPF or DKIM didn’t aligned with DMARC. So these reports are only created when the ISP receives a messages that failed DMARC. authentication.. Forensic reports contains sample data, that way you know that there’s an issue with a certain source, mailstream or sending IP. The forensic report contain message-level data, “To” and “From” email addresses, and the IP addresses of the sender. It is also possible to see the body of a message.

By default DMARC Analyzer doesn’t show the body of a failed message, only when the user has set up the PGP key in the DMARC Analyzer SaaS solution. The user has to upload the public key. That way DMARC Analyzer is able to encrypt the original message and destroy the unencrypted message. That way the user only sees the encrypted message and is able to download it, then it’s possible to decrypt the message locally using the private key. Only the one with the private key is able to see the content of the forensic email.

Not all ISPs send these forensic emails because of the possibility that these emails could contain privacy sensitive information. However receiving these forensic reports could help during DMARC deployment process.

How to receive forensic reports?

First step is to create a DMARC record. A DMARC record invites DMARC reporting organizations to send DMARC forensic reports back to the sender of an email. The record contains a RUF tag (tag: ruf=mailto:[email protected]). This email address will be the endpoint for the DMARC reporting organization to send the DMARC forensic reports to.

Need help creating a personalized DMARC record?

DMARC Analyzer provides an easy to use setup guide to guide organizations through the process of creating a personalized own DMARC record. More information about How to create a DMARC record?

What information is included in DMARC forensic reports?

Forensic reports could contain the following information:
– Subject line
– Time when the message was received
– IP information
– Authentication results
   – SPF result
   – DKIM result
   – DMARC result
– From domain information
   – From address
   – Mail from address
   – DKIM from address
– Message ID
– URLs
– Delivery result
– What was the applied policy, the message could be rejected if there’s a reject policy in place, or quarantined, or delivered because of a none policy
– ISP information

As said in DMARC Analyzer there could be 2 possible setups. The first setup would be without encryption. DMARC Analyzer shows the Feedback headers and email headers separately. First you need to click on the subject and then you’re able to see the header information.

Forensic reports without encryption

DMARC RUF forensic reports

Feedback headers
DMARC RUF forensic reports

Email headers
DMARC RUF forensic reports

Forensic reports with encryption

Mail headers

DMARC RUF forensic reports

Feedback headers:

DMARC RUF forensic reports

Please refer to our article about the Forensic overview for more information about the Forensic DMARC overviews within DMARC Analyzer.