While DMARC aggregate reports are great for an overview of your sending, they do not provide detailed information you can use to help locate unfamiliar sources that show up in your aggregate reports as failing DMARC. To locate these sending sources in your aggregate reports that are unfamiliar, you will need to use DMARC forensic reporting.
What is DMARC forensic reporting?
Forensic reporting, which differs from aggregate reporting, lets you receive a report every time an email is sent that fails DMARC. These forensic reports are typically sent by the receiving ISP immediately after the DMARC failure occurs, giving you near real-time insight into your DMARC failures.
How do I start getting forensic reports?
To add an email address for receiving forensic DMARC reports, add an ruf tag that includes the email address where you want to get the forensic reports. For an example, if my original DMARC record is:
v=DMARC1; p=none; pct=100; rua=mailto:firstname.lastname@example.org; sp=none; aspf=r;
I could have forensic reports also sent to email@example.com by changing it to the following:
v=DMARC1; p=none; pct=100; rua=mailto:firstname.lastname@example.org; ruf=mailto:email@example.com; sp=none; aspf=r; fo=1;
Once the ruf tag is in place, you will start to see forensic reports come in for DMARC failures when you send to ISPs that support sending them.
What will I see in these forensic reports?
It is possible to see the following details in a forensic report:
- IP Information (the IP address that sent the email)
- Time when the message was received by the ISP
- Authentication results for SPF, DKIM, and DMARC
- ISP(The ISP that received the message and is sending the forensic report)
From Domain information:
- From address
- Mail From address
- DKIM From address if the message was signed with DKIM
- URLs (if present in the sent email)
- Message ID
- Delivery Result (Whether the message was rejected, quarantined, or delivered)
What you actually end up seeing in the report depends on the ISP that received the message. What each ISP sends in their forensic reports is up to them and may not include all of the above details.
If you end up finding out the source is actually legitimate, you would then want to set up SPF and DKIM for them to ensure they pass DMARC. For some additional reading on deciphering forensic reports, Return-Path also has a great post here.