I’m missing forensic reports?!

Are you missing reports in the forensic section? This can have several causes. We try to explain possible causes of this here.

Not all ISP’s send forensics
Not all ISP’s send the forensic reports. This is mostly due to privacy considerations, but also due to performance related issues. Providing a copy of invalid messages to the From domain as DMARC is intended to do can cause a lot of reports to be send out.

Currently, the most well known forensic report senders are: Microsoft / NetEase and LinkedIN.

Numbers not matching
If you expect the numbers to match between the aggregate and the forensic overviews, this will not happen.

The biggest reason is the item we’ve discussed before: not all ISP’s send forensic reports. Furthermore the forensic specification doesn’t require ISP’s to send a forensic report for every invalid mail to reduce the load on their servers for this.

DMARC policy to strict
You can specify the ‘fo’ parameter in your DMARC DNS record to indicate when you’d like to receive a forensic report.

Allowed values:
“0” to generate reports if both DKIM and SPF fail to produce a DMARC pass result
“1” to generate reports if either DKIM or SPF fails to produce a DMARC pass result
“d” to generate reports if DKIM has failed
“s” to generate reports if SPF has failed

You can combine the values by seperating them using a colon (:).