Forensic DMARC reports explained

In order to receive DMARC forensic reports an organization needs to create a DMARC record and publish it into the DNS. After publishing a DMARC record, DMARC Analyzer will be able to receive DMARC forensic reports from all ISPs that support DMARC. These forensic reports contain crucial information to secure an organization’s domains.

This article explains what DMARC forensic reports are, how to request these reports and what is included in these reports.

What is a DMARC forensic report?

The DMARC (Domain-based Message Authentication, Reporting and Conformance) aggregate reports contain information about the authentication status of SPF, DKIM and DMARC. The DMARC forensic reports include additional information such as the subject line, header information (i.e. “To” and “From”), URLs included and attachment information.

DMARC forensic reports are generated by an ISP when the SPF or DKIM does not align with DMARC. These reports are only created when the ISP receives a message that fails DMARC authentication. Forensic reports contain sample data indicating that there is an issue with a certain source, mailstream or sending IP. The forensic reports contain message-level data, “To” and “From” email addresses and the IP addresses of the sender. It is also possible to see the body of a message.

By default DMARC Analyzer does not show the body of a failed message, unless the user has set up the PGP key in the DMARC Analyzer SaaS solution. The user has to upload the public key. This enables DMARC Analyzer to encrypt the original message and discard the unencrypted message. As a result, the user only sees the encrypted message and is able to download it. It is then possible to locally decrypt the message using the private key. Access to the private key is necessary to decrypt the content of the forensic email.

Not all ISPs send these forensic reports as these emails could contain privacy sensitive information. However, receiving these forensic reports could help during the DMARC deployment process.

How to receive forensic reports?

First step is to create a DMARC record. A DMARC record invites DMARC reporting organizations to send DMARC forensic reports back to the sender of an email. The record contains a RUF tag (tag: ruf=mailto:[email protected]). This email address will be the endpoint for the DMARC reporting organization to send the DMARC forensic reports to.

Need help creating a personalized DMARC record?

DMARC Analyzer provides an easy to use setup guide to walk organizations through the process of creating their own personalized DMARC record. More information about How to create a DMARC record?

What information is included in DMARC forensic reports?

Forensic reports could contain the following information:
– Subject line
– Time when the message was received
– IP information
– Authentication results
   – SPF result
   – DKIM result
   – DMARC result
– From domain information
   – From address
   – Mail from address
   – DKIM from address
– Message ID
– URLs
– Delivery result
– What was the applied policy, the message could be rejected if there’s a reject policy in place, or quarantined, or delivered because of a none policy
– ISP information

As previously mentioned, in DMARC Analyzer there are two possible setups. The first (default) setup is without encryption. DMARC Analyzer shows the Feedback headers and email headers separately. First you need to click on the subject and then you’re able to see the header information.

Forensic reports without encryption

DMARC RUF forensic reports

Feedback headers
DMARC RUF forensic reports

Email headers
DMARC RUF forensic reports

Forensic reports with encryption

Mail headers

DMARC RUF forensic reports

Feedback headers:

DMARC RUF forensic reports

Please refer to our article about the Forensic overview for more information about the Forensic DMARC overviews within DMARC Analyzer.