How to Receive DMARC Reports: DMARC Reporting Setup Guide

DMARC Reporting RUA RUF

DMARC reports on the authentication status of your email infrastructure by sending DMARC reports to the specified mailboxes. We will go over how to set up DMARC reporting to receive DMARC reports in this post.

When you publish a DMARC record in the DNS, not only can you specify the policy which instructs email servers how to dispose of unauthenticated emails, but also you can request mailbox providers to send DMARC reports via the rua and ruf tags.

These reports contain information about your email streams or even individual email messages, which provides you with insights into the authentication statuses of your email streams. You should keep monitoring such information to properly authenticate all your legitimate email streams.

A typical DMARC reporting scenario

First things first, let's take a look at the parties involved in a typical DMARC reporting scenario: brand, ESP, mailbox provider, and report recipient.

The brand is the owner of the domain on which one implements DMARC to monitor the email authentication status. For example, if a company called AcmeCorp and it owns acmecorp.com, AcmeCorp is the brand.

The ESP (Email Service Provider) provides an email delivery service through which the brand can send emails to its customers, partners, etc. For example, SendGrid is an ESP used by AcmeCorp to deliver emails.

The mailbox provider hosts mailboxes for email end users. For example, Gmail, as a mailbox provider, hosts over 1 billion mailboxes for its whopping user base. Email messages from ESPs are delivered and saved in mailboxes and end users can view them later.

The report recipient is the email address that the DMARC reporting emails will be sent to. The brand can choose an arbitrary email address as long as it's accessible to the brand. The brand's IT administrator will download and analyze the reports attached to the DMARC reporting emails.

The scenario is illustrated below:

To string things together, picture this:

  • AcmeCorp's IT administrator publishes a DMARC record on domain acmecorp.com.
  • The DMARC record points the rua (and possible ruf) tag to the email address [email protected].
  • AcmeCorp (and possibly scammers) sends tons of business emails via domain acmecorp.com to its customers everyday.
  • Mailbox providers like Gmail send DMARC reports on these business emails to [email protected] as requested.

2 types of DMARC reports

DMARC supports 2 types of reports: aggregate reports and failure (forensic) reports. These 2 reports serve different purposes.

Aggregate reports contain information about email streams, including:

  • source IP;
  • organization that sent the report;
  • SPF domain;
  • SPF outcome: pass or fail;
  • SPF authentication result: none, neutral, pass, fail, softfail, temperror, or permerror;
  • DKIM domain;
  • DKIM outcome: pass or fail;
  • DKIM authentication result: none, neutral, pass, fail, policy, temperror, or permerror;
  • disposition: none, quarantine, or reject;
  • sent date.

For the most part, aggregate reports are used to analyze the authentication statuses of email streams and reach a full DMARC implementation (p=reject).

Failure (forensic) reports contain certain information about individual email messages, including:

  • arrival date;
  • source IP;
  • from;
  • to;
  • subject;
  • content;

and more...

As you can see, failure reports contain Personally Identifiable Information (PII). Due to privacy concerns, many mailbox providers including Gmail have dropped support for DMARC failure reports. As a result, only a few mailbox providers still send failure reports, including LinkedIn and 163.com. Keep this in mind when you are not receiving failure reports as expected.

To see an incomplete list of domains that send DMARC failure reports, refer to Which Domains Send DMARC Forensic (Failure) Reports?

Request to send aggregate reports

Requesting mailbox providers to send DMARC aggregate reports to your specified email addresses is a straightforward process. It's nothing more than specifying an email address in the rua tag of your DMARC record.

For example, if you want to request that aggregate reports be sent to an email address that you have access to: [email protected], you can publish a DMARC record like this:

v=DMARC1; p=none; rua=mailto:[email protected];

Request to send failure reports

Similar to requesting for aggregate reports, you can request to send failure reports to an arbitrary email address accessible to you.

For example, if you want to request that failure reports be sent to: [email protected], you can add a ruf tag with that email to your DMARC record:

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected];

Set up External Destination Verification (EDV)

In the discussion above, I assume you own reporting.org, therefore it's completely legitimate for you to request to send reports to an email address on that domain. However, what if someone with malicious intent outside your organization requests to send DMARC reports to [email protected]? Wouldn't that spam your mailbox allocated for receiving your own DMARC reports?

The answer is yes. This is why DMARC won't send reports until the owners of the domains specified in rua and ruf tags have explicitly granted permissions.

To learn how to set up EDV, refer to: Why Am I Not Receiving DMARC Aggregate or Forensic Reports?

DMARC reporting interval

You can request DMARC to send aggregate reports at a certain interval via the optional ri tag. The value of the ri tag is in seconds.

For example, the following DMARC record requests to send reports every 86400 seconds, which is 24 hours:

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; ri=86400;

Note that not all mailbox providers honor requests with intervals shorter than 86400 seconds. If you specify an interval value under 86400, it's possible that the value is ignored and aggregate reports are sent daily instead.

Set up mailboxes for incoming DMARC reports

There are a couple of ways to prepare mailboxes for receiving DMARC reports. You can choose the one that works the best for you:

  • use DMARCLY's auto-generated mailboxes; this is the simplest method as it handles the downloading, parsing and rendering of DMARC reports for you as well. Sign up to use DMARCLY's mailboxes;
  • use your own mailboxes; you will need to maintain your own mailboxes and handle report downloading, parsing and rendering.

Troubleshooting

If you've set up DMARC reporting, and are not receiving reports after a few days, you might need to check your DMARC implementation.

Check out this post Why Am I Not Receiving DMARC Aggregate or Forensic Reports? on how to troubleshoot DMARC reporting issues.

Previous Post Next Post

 Protect Business Email & Improve Email Deliverability

Get a 14 day trial. No credit card required.

Create Account