Using forensic reports to identify unknown sources
While DMARC aggregate reports are great for an overview of your sending, they do not provide detailed information you can use to help locate unfamiliar sources that show up in your aggregate reports as failing DMARC. To locate these sending sources in your aggregate reports that are unfamiliar, you will need to use DMARC forensic reporting.
What is DMARC forensic reporting?
How do I start getting forensic reports?
Since these reports can include personally identifiable data, there are privacy concerns surrounding them and many popular providers don't send them. DMARC Digests does not currently support the processing of forensic reports, but you can opt to have them sent to your own email address.
v=DMARC1; p=none; pct=100; rua=mailto:email@example.com; sp=none; aspf=r;
v=DMARC1; p=none; pct=100; rua=mailto:firstname.lastname@example.org; ruf=mailto:email@example.com; sp=none; aspf=r; fo=1;
- fo=0; Generate a DMARC failure report if both DKIM and SPF are unaligned.
- fo=1; Generate a DMARC failure report if either DKIM or SPF are unaligned. (Recommended)
- fo=d; Generate a DKIM failure report if the message had an invalid DKIM signature, even if the DKIM signature domain is aligned.
- fo=s; Generate an SPF failure report if the message failed SPF checks, even if the Return-Path domain is aligned.
You can ask to receive multiple types of reports by separating the values with colons. For example: fo=0:1:s;
What will I see in these forensic reports?
- IP Information (the IP address that sent the email)
- Time when the message was received by the ISP
- Authentication results for SPF, DKIM, and DMARC
- ISP(The ISP that received the message and is sending the forensic report)
- From Domain information:
- From address
- Mail From address
- DKIM From address if the message was signed with DKIM
- URLs (if present in the sent email)
- Message ID
- Delivery Result (Whether the message was rejected, quarantined, or delivered)