Email authentication

What to do with sources failing the DMARC checks?

In this article we will cover what to do if you find sources failing the DMARC checks. You can find these sources in the per sending overview of the ‘DMARC aggregate reports’ section.

Why is a source marked as failed?

The reason a source is marked as failed, is because the email(s) from this source failed the DMARC checks. This means that the email was not DMARC compliant, so SPF and DKIM where both invalid. For more information about DMARC compliance, click here. This can mean two things:

  • This source failed the DMARC checks because DKIM and or SPF were not setup correctly
  • The source failed the DMARC checks because they have sent malicious emails on behalf of your domain

Why is a source marked as failed?

It is important to investigate all sources that appear in the failed section in order to identify the sources as valid or as malicious. If you recognise a source as legitimate, you can dig in the data and make sure to setup and align SPF and or DKIM correctly. If you do not recognise a source you will have to investigate this, because this source might try to send malicious emails on behalf of your domain.

The steps that you can take in order to investigate the source:

  1. Do I recognise the source as a partner of my company?
  2. Search on Google what kind of source this is.
  3. Does the source appear on RBL blacklist websites?
  4. Check the forensic reports to see what kind of email are sent by the source.
  5. If the source is valid, search for documentation in order to set up DMARC correctly
  6. Contact the source.