Understanding DMARC email reports

DMARC reports may seem difficult to understand at first, but with the right help can be handy for your business.

If you’ve followed the recent changes Google and Yahoo made to email, you may have set up a DMARC record.

The DMARC record allows you to set a policy to get reports of emails failing to follow the rules you have set in your other email authentication and verification records, known as SPF and DKIM.

Understanding a DMARC email report, however, is complicated, so we’ll break it down for you and some free and paid tools you can use.

What is DMARC, SPF and DKIM?

You can see a more detailed review of these here, but for a quick snapshot, see below:

DMARC (Domain-based Message Authentication, Reporting & Conformance): A security protocol that uses SPF and DKIM to determine the authenticity of an email, ensuring it hasn’t been tampered with, and provides instructions on how to handle unauthorised use of your domain.

SPF (Sender Policy Framework): A security measure that specifies which mail servers are allowed to send email on behalf of your domain, helping to prevent misuse.

DKIM (DomainKeys Identified Mail): A verification method that attaches a digital signature to emails, allowing the recipient to verify that the sender is legitimate and somebody did not alter the email.

What are DMARC reports?

Email providers send DMARC reports to you so you can check on how your email is going with the rules you provided based on your SPF and DKIM records.

This is very important if your email record policy is set to quarantine or reject, meaning the emails may not get delivered.

The reports are helpful for:

  • When you send a large number of emails per month,
  • Your brand is well-established or known.
  • Run an online store or business where emails are a common occurrence.
  • You have a higher-risk category business prone to scams, or your audience is less likely to detect scam messages.
  • Curious to make sure your SPF and DKIM are working.
  • Your DMARC is subject to the quarantine or reject policy.

How to enable a DMARC email report

A small business owner trying to understand a DMARC email report sent to them

When setting up a DMARC record, your DMARC record can set up a RUA tag policy (Reporting URI for Aggregate). The rua tag defines where aggregate DMARC reports should be emailed to. 

You can add multiple emails by adding a comma and the next rua=mailto:email@domain.au,mailto:email2@domain.au, etc.

DMARC policies for email delivery

There are three different rules for DMARC policy:

  • None/monitor: email is delivered regardless of your rules in SPF and DKIM records.
  • Quarantine: any unmatching or failed emails fall into a separate folder, such as a spam folder.
  • Reject: any unmatching or failed emails are blocked, so they will not be sent to a user.

To protect who can send emails that appear from your domain (web address), you can start using the “p=quarantine” policy.

The “p=reject policy is the most strict.

Rejecting emails altogether is a risk and should be used with caution. It’s best suited for more prominent brands and sensitive organisations such as healthcare.

Be mindful that when you change or add new technology, such as a new content management system (CMS) for your website, an email marketing program or a third-party tool, you may need to adjust the email records to allow them to send email from your domain.

How to check your DMARC record

You can check your record using this free EasyDMARC checker tool.

Note even if you have an email that specifies the reports delivery address, the site still displays an error message saying it’s missing.

EasyDMARC reporting is a feature of the tool itself and is not to be confused with the email report.

How to create or edit a DMARC record

If you don’t yet have a DMARC record, you can create one using this free tool.

For example:

Domain: your domain

Policy type:

  • None (monitoring): no action to email
  • Quarantine: emails that authentication failed but fall into another folder, e.g. spam.
  • Reject: emails that fail authentication do not get sent at all. Not recommended.

Reports sent to: Email address of reports to be sent to.

Subdomain policy: You can set a different policy for subdomains, e.g. grow.truegreenhosting.au, etc.

SPF identifier alignment: Strict

DKIM identifier alignment: Strict

Reporting interval: In seconds. 2628288 = 1 month. Not related to failure reports.

Percentage applied to: The % of emails the policy will apply to.

Failure reporting sent to: Email for failed authentication reports to go.

Failure reporting options: can set when to send failure reports to you.

DMARC record generator with settings for DMARC reporting and quarantine setup

After you generate the record, you need to add it as a TXT record for your domain.

This is done where your domain records are managed.

It is defined based on the nameserver of your domain.

In most cases, it is your cPanel (control panel) or where you manage the domain records, e.g. where you purchased the domain from.

For cPanel, you will find the records under ‘Zone editor’. You will then select ‘TXT’ and look for a DMARC TXT record or add a new one.

cPanel also has a DMARC tool in the zone editor. The above items translate to:

DMARC email report generator tool in zone editor for cPanel hosting environment

You can select the ‘Raw’ option to paste in your full TXT record.

What format are DMARC email reports sent in?

DMARC reports can be sent in two formats: aggregate and forensic.

The most common is aggregate, as most email providers do not send forensics to avoid privacy issues.

Aggregate

It uses the “rua” tag, “Reporting URI for Aggregate”. These reports are in an XML file format and provide information about the authentication status of DMAC, SPF and DKIM.

The report includes:

  • Reporting email service provider information
  • Header-from domain 
  • DMARC policy and alignment settings
  • Sender Internet Protocol (IP) address
  • Message authentication status and data 
  • Number of messages sent

Forensic 

The “ruf” tag in a DMARC policy stands for “Reporting URI for Forensic reports.” 

This tag specifies the email address or addresses where forensic (failure) reports of individual email authentication failures should be sent. 

These reports provide detailed information about each failure, including the true origin of legitimate email sources that need further tweaking or investigation.

How to read a DMARC XML report

XML files are text-based files but more complex to understand.

You can upload your XML file (or compressed zip file) to the DMARCian free tool, letting you quickly review the report’s contents.

DMARCian DMARC email report XML converter tool

Reviewing a report will show you what emails have been sent or failed. You might identify a legitimate email sender, in which case you should tweak the SPF or DKIM (or both) records that failed.

DMARC email report shows where there has been an SPF or DKIM alignment fail in the email provided

In the example above, we can see that the DMARC policy is to quarantine emails that do not align with the DKIM and SPF policy. The user has set a relaxed DKIM policy compared to a strict SPF policy and applied 100% weighting. The report also shows that legitimate emails from Google were seen as misaligned, requiring the user to amend their SPF record to avoid future soft-fail reports.

For those who have failed and were not your organisation, disregard as the email records are working as they should.

Interpreting a DMARC Report

While each DMARC report or tool can differ, they follow the same pattern in terms of the information they provide, including:

  1. Sources: The email providers that send you DMARC reports.
  2. Pass: The number of emails that successfully passed DMARC authentication.
  3. Fail: The number of emails that failed DMARC authentication.
  4. Policy: Your current DMARC policy settings, such as “none,” “quarantine,” or “reject.”

By analysing DMARC reports, you can ensure your emails are correctly authenticated and identify potential issues that may require attention.

DMARC – Paid tools

You can also use paid tools to analyse DMARC results. The following solutions are stated in United States Dollars (USD) and were accurate when publishing 1 May 2024.

Budget-friendly DMARC tools (under $50 USD per month)

  1. DMARC Digests
    • Pricing: Starts at $14 USD per month (unlimited email volume)
    • Ideal for: Small businesses and individuals looking for a simple, affordable DMARC solution without advanced features.
  2. DMARCLY
    • Pricing: Starts at $17.99 USD per month (100k emails per month)
    • Ideal for: Users with some knowledge of DMARC and email authentication, looking for a cost-effective solution with forensic reporting.
  3. Dmarcian
    • Pricing: Starts at $20 USD per month (100k emails per month)
    • Ideal for: Business owners wanting more detail about DMARC including forensic reporting where made available.

Mid-range DMARC tools ($50 – $200 USD per month)

  1. EasyDMARC
    • Pricing: Starts at $39.99 USD per month (100k emails per month)
    • Ideal for: Users seeking a balance between ease of use and advanced features like forensic reporting and API access in higher-priced plans.
  2. DMARC Analyzer (Mimecast)
    • Pricing: Custom (contact for a quote)
    • Ideal for: Businesses requiring forensic reporting and professional services, with flexible pricing based on specific needs.

Premium DMARC tools ($200+ USD per month)

  1. Dmarcian
    • Pricing: Starts at $199 USD per month (1M emails per month)
    • Ideal for: Advanced users and large organisations with complex email authentication and reporting needs and access to professional services.
  2. ONDMARC (Redsift)
    • Pricing: Starts at $249 USD per month (7M emails per month)
    • Ideal for: Organisations with sophisticated reporting and security needs, including forensic reporting, smart alerts, and API access.

These DMARC email report tools cater to different budgets and requirements, making finding the perfect solution for your business easier. Whether you’re a small business owner or part of a large organisation, there’s a DMARC tool out there that suits your needs and budget.

Wrapping Up

DMARC reports might seem complex initially, but they’re much more approachable with the right tools and guidance. 

By understanding the basics of DMARC, the “rua” tag policy, and how to open, interpret, and understand DMARC reports, you can take essential steps toward securing your email domain and protecting your business from email fraud.

By choosing to host or get your email hosting with us, our friendly 24/7 tech support team will help you with setting up the records you need.