Using forensic reports to identify unknown sources

While DMARC aggregate reports are great for an overview of your sending, they do not provide detailed information you can use to help locate unfamiliar sources that show up in your aggregate reports as failing DMARC. To locate these sending sources in your aggregate reports that are unfamiliar, you will need to use DMARC forensic reporting. 

What is DMARC forensic reporting?

Forensic reporting, which differs from aggregate reporting, lets you receive a report every time an email is sent that fails DMARC. These forensic reports are typically sent by the receiving ISP immediately after the DMARC failure occurs, giving you near real-time insight into your DMARC failures.

How do I start getting forensic reports?

Since these reports can include personally identifiable data, there are privacy concerns surrounding them and many popular providers don't send them. DMARC Digests does not currently support the processing of forensic reports, but you can opt to have them sent to your own email address.

To add an email address for receiving forensic DMARC reports, add an ruf tag that includes the email address where you want to get the forensic reports. For an example, if my original DMARC record is:
v=DMARC1; p=none; pct=100;; sp=none; aspf=r;
I could have forensic reports also sent to by changing it to the following:
v=DMARC1; p=none; pct=100;;; sp=none; aspf=r; fo=1;
Once the  ruf tag is in place, you will start to see forensic reports come in for DMARC failures when you send to ISPs that support sending them.
The  fo is used to tell receivers which kinds of forensic reports you'd like to receive.
  • fo=0; Generate a DMARC failure report if both DKIM and SPF are unaligned.
  • fo=1; Generate a DMARC failure report if either DKIM or SPF are unaligned. (Recommended)
  • fo=d; Generate a DKIM failure report if the message had an invalid DKIM signature, even if the DKIM signature domain is aligned.
  • fo=s; Generate an SPF failure report if the message failed SPF checks, even if the Return-Path domain is aligned.

You can ask to receive multiple types of reports by separating the values with colons. For example: fo=0:1:s;

What will I see in these forensic reports?

It is possible to see the following details in a forensic report:
  • IP Information (the IP address that sent the email)
  • Time when the message was received by the ISP
  • Authentication results for SPF, DKIM, and DMARC
  • ISP(The ISP that received the message and is sending the forensic report)
  • From Domain information:
    • From address
    • Mail From address
    • DKIM From address if the message was signed with DKIM

  • Subject
  • URLs (if present in the sent email)
  • Message ID
  • Delivery Result (Whether the message was rejected, quarantined, or delivered)
What you actually end up seeing in the report depends on the ISP that received the message. What each ISP sends in their forensic reports is up to them and may not include all of the above details.
If you end up finding out the source is actually legitimate, you would then want to set up SPF and DKIM for them to ensure they pass DMARC. For some additional reading on deciphering forensic reports, Return-Path also has a great post here.
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us