I remember when I got hold of my first DMARC reports, almost a year ago. Finally, something new and shiny for me to play with! If you’re about to encounter the same experience and are wondering how to read DMARC reports, then here’s what you can expect:
Aggregate Reports (RUA)
The participating Mailbox Providers will send daily reports via email, HTTP, or HTTPS based on what you defined in the “rua” tag.
The reports sent by email will be MIME formatted messages. It will include an XML file contained in a zip file.
The reports include data about messages that passed and/or failed DMARC.
The report will include 3 sections:
ISP information
Mailbox Provider name
Mailbox Provider’s sending email address and additional contact information
Report ID number
Beginning and ending date range in seconds
DMARC Record – a line by line description of your DMARC record
Summary of authentication results – This is what you’ve been waiting for. Look for the areas that show neutral, none, or failed results.
IP identified in the legitimate and/or fraudulent email
Count of IP address identified
From: domain
DKIM authentication results – lists the domain and result (i.e. none, pass, or fail)
SPF authentication results – lists the domain and result (i.e. neutral, pass, or fail)
You’ll get per-message reports on individual messages that fail SPF and/or DKIM.
Make sure you don’t click on any links.
Use the email headers to help your investigation.
After seeing rows and rows of endless XML tags, my excitement quickly faded. Put it this way, I considered printing the aggregate report until I saw that it was 500 pages. The bottom line is that you need some intelligent way to summarize these reports for you. Obviously, you can ask one of your IT folks to parse the data, but is there really a need to recreate the wheel? Here are some information that you might find useful: