Using forensic reports to identify unknown sources
While DMARC aggregate reports are great for an overview of your sending, they do not provide detailed information you can use to help locate unfamiliar sources that show up in your aggregate reports as failing DMARC. To locate these sending sources in your aggregate reports that are unfamiliar, you will need to use DMARC forensic reporting.
What is DMARC forensic reporting?
How do I start getting forensic reports?
DMARC Digests does not currently support processing of forensic reports, but you can opt to have then sent to your own email address.
v=DMARC1; p=none; pct=100; rua=mailto:firstname.lastname@example.org; sp=none; aspf=r;
v=DMARC1; p=none; pct=100; rua=mailto:email@example.com; ruf=mailto:firstname.lastname@example.org; sp=none; aspf=r; fo=1;
What will I see in these forensic reports?
- IP Information (the IP address that sent the email)
- Time when the message was received by the ISP
- Authentication results for SPF, DKIM, and DMARC
- ISP(The ISP that received the message and is sending the forensic report)
- From Domain information:
- From address
- Mail From address
- DKIM From address if the message was signed with DKIM
- URLs (if present in the sent email)
- Message ID
- Delivery Result (Whether the message was rejected, quarantined, or delivered)