DMARC Analyzer 2.0 - Aggregate Reports Explained

This article contains information on DMARC aggregate reports, including their purpose, contents, format, and how they help organizations monitor email authentication and prevent malicious activity.

What is a DMARC aggregate report?

DMARC  aggregate reports contain information about the authentication status of messages sent on behalf of a domain. With the reports an organization can see which emails are authenticating against DKIM and SPF. It is also possible to view which emails are not authenticating.

An aggregate report doesn’t contain any information about the emails themselves. The DMARC aggregate reports contain information about:

1. The source that sent the message.
2. The domain that was used to send these messages.
3. The sending IP.
4. The amount of messages sent on a specific date.
5. The DKIM/SPF sending domain.
6. The DKIM/SPF authentication result.
7. The DMARC result.

This information is useful for an organization to determine who’s sending email on its behalf, if a sender is allowed to send email on its behalf and if the messages are authenticated correctly. An organization is able to see who’s sending malicious emails on its behalf. Eventually an organization will be able to make sure that the malicious emails won’t reach the inbox of the receivers this can be done by enforcing a DMARC reject policy .

Aggregate Reports:

• Are sent on a daily basis.
• Provide an overview of email traffic.
• Are in an XML file-format.

How to receive DMARC Aggregate reports?

A DMARC record needs to be created. A DMARC record invites DMARC reporting organizations to send DMARC aggregate reports back to the sender of an email. The record contains an RUA tag (tag: rua=mailto:example@somedomain.com). This email address will be the endpoint for the DMARC reporting organization to send the DMARC aggregate report to.
 

What is included in the DMARC aggregate report?

ISP information

• Report ID number.
• Reporting Organization Name.
• Reporting Organization sending email address and additional contact information.
• Beginning and ending data range in seconds.

Description of a DMARC record

1. Header domain/from domain.
2. Alignment settings for both DKIM and SPF.
3. Domain policy (reject).
4. Subdomain policy (reject).
5. Percentage of messages to which the DMARC policy is to be applied.

Summary of authentication results

1. IP identified in the email
2. Total of IP addresses identified
3. Disposition of the message, to show if the policy was applied
4. DKIM authentication result, the domain and result
5. SPF authentication result, the domain and result

DMARC Analyzer collects these reports and merges them into user-friendly overviews. The overviews within this tool will give an organization information on how to make sure it's email channel is fully authenticated and secured against malicious users.