DMARC Analyzer - Forensic Reports Explained

This article explains what DMARC forensic reports are, how to request them, and what is included in these reports.
 

What is a DMARC Forensic Report?

The DMARC aggregate reports contain information about the authentication status of SPF, DKIM, and DMARC. The DMARC forensic reports include additional information such as the subject line, header information (i.e., “To” and “From”), URLs included, and attachment information.

DMARC forensic reports are generated by an ISP when the SPF or DKIM does not align with DMARC. These reports are only created when the ISP receives a message that fails DMARC authentication. Forensic reports contain sample data indicating that there is an issue with a certain source, mailstream, or sending IP. The forensic reports contain message-level data, “To” and “From” email addresses, and the IP addresses of the sender. It is also possible to see the body of a message.

Not all ISPs send these forensic reports, as these emails could contain privacy-sensitive information. However, receiving these forensic reports could help during the DMARC deployment process.
 

What information is included in DMARC forensic reports?

Forensic reports could contain the following information:

1. Subject line
2. Time when the message was received
3. P information
4. Authentication results

• • SPF result
  • DKIM result
  • DMARC result

5. From domain information

• • From address
  • Mail from address
  • DKIM from address
  • Message ID

6. URLs
7. Delivery result
8. The applied policy. The message could be rejected, quarantined, or delivered.
9. ISP information

How to receive forensic reports?

A DMARC record needs to be created. A DMARC record invites DMARC reporting organizations to send DMARC forensic reports back to the sender of an email. The record contains a RUF tag (tag: ruf=mailto:example@somedomain.com). This email address will be the endpoint for the DMARC reporting organization to send the DMARC forensic reports to.

Unencrypted and Encrypted reports

DMARC Analyzer has two possible setups for forensic reports; Unencrypted (Default) and Encrypted.

DMARC Analyzer shows feedback headers and Email headers separately.

To access the headers: 

1. Click on the DMARC forensic reports menu item.
2. Click on the Subject of the email you wish to view the headers of. 
3. Click on the View button underneath the Feedback headers or Mail headers options.

DMARC Analyzer doesn’t store the body of forensic reports by default unless a PGP key is set up. 

When a PGP key is added to your account, we will start encrypting the complete Forensic report with this key. In your forensic overview, you can download the encrypted report and decrypt it with your private key and password.

A PGP key consists of a private and public key combination. DMARC Analyzer doesn’t provide the functionality to generate a key but there are tools available to generate it. You can generate a key for example, at pgpkeygen.com.

• Your name: Your full name
• Your email address: Your email address
• Comments: This can be left empty
• Algorithm: RSA
• Key size: 4096
• Expires: Never
• Passphrase: A strong passphrase

To add your key to DMARC Analyzer:

1. Click on your profile name drop-down in the top bar.
2. Click on the Account option. 
3. Click on the Public Keys option.
4. Open your downloaded public key with a text editor. 
5. Copy and paste the contents into the text box in DMARC Analyzer. 
6. Click on the Save button.
7. DMARC Analyzer will now start encrypting your forensic reports with this key.

Encrypted mail messages can be found in your forensic overview by clicking on the View button under the Mail headers option. When an encrypted message is available, the entire message can be copied from the text box. To decrypt your message, use your generated private key and passphrase.