DMARC reports

Forensic reports from LinkedIn

During DMARC deployment projects, organizations often get forensic reports from LinkedIn. In this article we will explain why LinkedIn sends forensic reports and what this indicates.

What are Forensic reports?

If an organization places a DMARC record with a RUF tag, it will start receiving Forensic reports. Forensic reports are really valuable, because forensic reports show the subject, mail header, feedback header and optionally the body of an email. Because of this false positives and malicious streams are easier to recognize. For more information we refer to the following article: Forensic DMARC reports explained

Why are a lot of the forensic reports coming from LinkedIn?

There is a reason why a lot of forensic reports organizations receive come from LinkedIn: LinkedIn is one of the few ISPs that sends forensic reports. Most ISPs do not send forensic reports due to privacy concerns.

What do forensic reports from LinkedIn indicate?

Since forensic reports are only sent in case of an email failing the DMARC checks, forensic reports in general indicate incorrectly authenticated or malicious emails. Forensic reports from LinkedIn often indicate that out-of-office replies are not correctly setup. Out-of-office replies are typically sent without a “Return-Path” header. This is done because this might end up in two servers sending eachother out-of-office replies over and over. SPF authentication therefore falls back to the SMTP HELO/EHLO domain. This domain is often not aligned with the ‘From’ domain which makes SPF fail.

Signing all legitimate sources with DKIM will prevent out-of-office emails from failing the DMARC checks, this will also resolve issues related to automatic forwarding. Out-of-office emails can have a seperate setup in your mail agent, therefore it should be investigated how to setup DKIM for out-of-office replies based on your environment.