loader image

How to set up DMARC records and Analyse DMARC reports

How to set up DMARC records and Analyse DMARC reports

Every marketer is acquainted with the potency of email marketing and how a strong email marketing game can scale up the sales statistics.

Emails play a pivotal role in today’s digital marketing landscape. A novice marketer must understand the importance of email marketing and the know-how of converting the emails into valuable sales deals.

The two very common terms used by marketers are Email Delivery and Email Deliverability. But here are only a few who really know the difference between the two.

Email Delivery means emails are being delivered to the receiving server whereas Email Deliverability means emails are reaching the recipients’ inboxes.

So it is possible that you have very good email delivery but poor email deliverability because the emails that you send with the hope of receiving a reply might just land in the spam folder of the recipient.

All the effort that you put in framing the emails, writing an attractive content with a catchy subject line goes in vain if your recipient never reads your emails because the emails never reach their inbox.

Fewer emails into your recipients’ inboxes mean fewer replies you get from them, which in turn means less engagement, fewer meetings and as a result fewer sales.

In order to boost your sales, it is important to work on increasing your email deliverability so that the emails you send drop directly into the inbox of your recipient.

Three main security protocols that have come to the aid are – SPF, DKIM, and DMARC. These protocols not only ensure that the emails reach the inbox safely but also provide an additional security mechanism that keeps illegal sources from sending emails using your domain, thereby authenticating your emails and validating them to be coming from you.

In this way, the recipient knows that it is actually you who is sending emails and not someone impersonating you.

You can read more about Email Authentication using SPF, DKIM and DMARC records in our previous blog.

We have already talked about setting up SPF and DKIM records. Let’s look into the steps for setting up DMARC records.

Setting up DMARC on G Suite

DMARC is an acronym for Domain-based Message Authentication, Reporting, and Conformance. It is a security protocol that prevents phishing attacks. DMARC safeguards your domain’s overall reputation by blocking spam emails.

DMARC combines the results of SPF and DKIM. Using DMARC, you can instruct the receiving mail server on how to deal with emails that use your domain and have tried to replicate you.

You can set up your DMARC policy in your DNS record. So, when you send an email, the receiving mail server looks up your domain’s DNS entry for a DMARC policy and takes the action as specified in your domain’s DNS record.

It instructs the receiving mail server what to do if neither of the authentication methods passes. It provides a way for the receiving server to report back to the sender about messages that pass and/or fail the DMARC evaluation.

Following are the steps to set up DMARC policy on G Suite –

  • Login to your domain account at your domain host say Namecheap.com
  • Select the domain for which you want to set up DMARC records.
  • Click on the ‘Manage’ button present on the right side of the selected domain name.
  • Go to that domain’s Advanced DNS Management.
  • Scroll down and click on the Add New Record button.
  • From the drop-down list, select TXT Record.
  • In the field named Host, type @.
  • In the next field named Value, type the syntax v=DMARC p=none rua=mailto:yourname@yourdomain.com
  • Click on Save Changes.

And you have configured the DMARC records. Once you have set up these records, you will start receiving feedback reports. 

Analyzing the DMARC Report

Once you have set up DMARC records in your domain’s DNS, you will start receiving DMARC reports to the email address you mentioned in the syntax while setting up the DMARC record. These reports are sent by the recipients’ mail server whenever you send emails.

DMARC reports provide insight on what’s happening with your emails after you press the send button, are your mails passing the authentication checks, or are there some malicious sources sending mails using your domain.

These are some important information which you should know in order to increase your email deliverability rates and also the responses that your emails generate.

But as said by a great human, data is just data until you can organize it in a way that provides value. DMARC reports are sent in an XML format which is beyond the understanding of many. But don’t you worry, we are here to clear the clutter and help you decipher the reports.

There are two types of DMARC reports, aggregate and forensic. Let’s dive into the blog and decode each one of them.

Aggregate Reports

Aggregate reports are feedback reports giving insights on the emails being sent by your domain. These reports are sent by the recipients’ mail server to the email address provided by you in the rua tag of the DMARC syntax.

Aggregate reports contain details regarding the emails passing the SPF and DKIM, the IP addresses which are sending mails using your domain, hence providing evidence of any malicious activity taking place.

The statistics provided by these reports are crucial to understand your email streams and to conduct a thorough investigation in case of any fraudulent picture.

Let’s have a look at what an Aggregate Report comprises of-

DOMAIN: These are the domains where you published a DMARC record to collect DMARC data.

POLICY: This is the policy applied to non-compliant messages used in your DMARC record for the domain. This policy includes three modes:

  • Report only mode: It is specified as p=none. It means that the email is accepted irrespective of whether or not the policy matches and a report is sent to the sender.
  • Quarantine mode: It is specified as p=quarantine. It means that the email gets quarantined and is sent to the spam folder.
  • Reject mode: It is specified as p=reject. In this case, the connection will be aborted and the email will not reach the end-user

COMPLIANCE: This shows the percentage of DMARC compliant messages sent from the domain for the chosen period.

SOURCES: This is the number of sources, i.e., IP addresses sending emails from the domain.

DMARC PASS: This gives the number of DMARC compliant messages sent from the domain for the chosen period.

DMARC FAIL: This gives the number of DMARC non-compliant messages sent from the domain for the chosen period.

SPF FAIL: This gives the number of messages that have failed SPF and were sent from the domain for the chosen period.

DKIM FAIL: This gives the number of messages that failed DKIM and were sent from the domain for the chosen period.

FORWARD: This is the number of the email messages sent from the domain and then forwarded for the chosen period.

UNKNOWN: The number of source IP addresses that have sent emails for your domain, but have missed an SPF record or DKIM signature for your domain.

TOTAL: This gives the total number of the email messages sent from the domain for the chosen period.

In order to get a detailed report, click on the domain name.

Let’s understand the values mentioned in the columns.

The first thing that you see is a graph depicting the mail traffic sent for the domain for the chosen time period. It basically pictures the statistics of how many emails have been sent using that domain.

If you see a sudden increase in the slope of the graph, this indicates that a large volume of mails was sent during that span of time.

You can narrow the period to that particular date and can see the sending source of those emails. This will help you locate any illegitimate source sending emails on your behalf.

Besides the graph, the report shows details like,

SENDING IP: These are the IP addresses that are sending the emails on behalf of the domain. The authorized IP addresses are shown by the green color whereas the unauthorized IP addresses are shown by the grey color.

DISP: Disposition tells you what action was applied to the messages sent by you. It has one of three values:

  • none: This means that the message was delivered and no specific action was taken regarding the delivery of the message.
  • quarantine: This means that the message was treated as suspicious and was sent to the spam folder.
  • reject: This means that the message was rejected.

POLICY OVERRIDE: Policy override means that the policy that you specified in your DMARC record has been overruled by the recipient. The common DMARC overrides have five values:

  • forwarded: this means that the message was identified as likely having been forwarded. There is no expectation that authentication would pass.
  • local_policy: this states that the Mail Receiver’s local policy exempted the message from being subjected to the Domain Owner’s requested policy action.
  • mailing_list: this means that the message arrived via a mailing list, and thus authentication of the original message was not expected to succeed.
  • sampled_out: this says that the message was exempted from the application of policy by the “pct” setting in the DMARC policy record.
  • trusted_forwarder: the message authentication failure was anticipated by other evidence linking the message to a locally maintained list of known and trusted forwarders.
  • other: this means that the policy exceptions that were not covered by other entries in this list occurred.

DMARC EVAL: This tells whether or not the messages have passed DMARC evaluation. There are two values: Aligned or Fail. The result is based on SPF and DKIM evaluation.

The “Aligned” result means DMARC evaluation passed because SPF and DKIM evaluation passed and the “Fail” result means DMARC evaluation didn’t pass because SPF evaluation and/or DKIM evaluation failed.

SPF EVAL: This shows whether or not the messages have passed SPF evaluation. There are two values: Pass or Fail. SPF evaluation has a value ‘Pass’ when the domain of the “Mail FROM” address aligns with the domain in the header “From” address.

When the “Mail FROM” address is empty, alignment is checked against the EHLO domain.

There are two types of enforcing modes for DMARC policy – strict mode and relaxed mode. These come into play through two optional tags called adkim and aspf. If these tags are not mentioned, then the relaxed mode is assumed by default.

In the relaxed mode, the SPF-authenticated “Mail FROM” domain and “From” domain must match or share the same Organizational Domain. However, in the strict mode, only an exact domain match is considered to produce SPF alignment.

DKIM EVAL: This shows whether or not the messages passed DKIM evaluation. This also has two values: Pass or Fail. DKIM evaluation gives the value ‘Pass’ when the domain found in the “d=” field of a DKIM-signature in the email header aligns with the domain found in the header “From” address. Otherwise, the value is Fail.

HEADER FROM: This shows you the domain used in the “From” field in the message.

SPF DOMAINS: This gives you the domain where the SPF record with the IP address shown in the Sending IP column is published.

SPF AUTH: This column displays the result of an SPF check against the given domain and IP address to verify that the IP is included in the SPF record. The result can have one of 7 values:

  1. None:  In this case, the SPF verifier had no information about the authorization.
  2. Neutral: This indicates that although a policy for the identity was discovered, there is no definite assertion (positive or negative) about the client.
  3. Pass: This means that the client is authorized to inject mail with the given identity.
  4. Fail: This means that the client is not authorized to use the domain in the given identity.
  5. Softfail: This result is treated as somewhere between “fail” and “neutral/ none”. The host is not authorized but the receiving server did not make a strong policy statement.
  6. Temperror:  This tells you that the SPF verifier encountered a transient error while performing the check.
  7. Permerror:  This means that the domain’s published records could not be correctly interpreted.

DKIM DOMAINS: In this column, you see the domain published in the “d=” tag in the DKIM signature.

DKIM AUTH: This column displays the result of a DKIM signature check that verifies if the message is correctly signed by the “d=” domain in the DKIM header. This can have one of 7 values:

  1. None:  This indicates that the message was not signed.
  2. Pass: In this case, the message was signed, the signatures were acceptable to the ADMD, and the signatures passed verification tests.
  3. Fail: This indicates that the message was signed and the signatures were acceptable to the ADMD, but they failed the verification tests.
  4. Policy: This means that the message was signed, but some aspect of the signatures was not acceptable to the ADMD.
  5. Neutral: This signifies that the message was signed, but the signatures contained syntax errors or were not able to process. This result also denotes other failures that are not covered elsewhere in this list.
  6. Temperror: This states that the message could not be verified due to some error that is transient in nature.
  7. Permerror: This states that the message could not be verified due to some error that is unrecoverable.

TOTAL: This gives you the sum of the message count in that specific report subset.

This was about the Aggregate Report. Let’s have a look at the second type of report, i.e, Forensic Report.

Forensic Reports

The DMARC Forensic reports are similar to the Aggregate Reports. The only difference is that these reports contain some additional information that is not included in the aggregate reports.

Apart from carrying the information about the authentication status of SPF, DKIM, and DMARC; these also show the subject line of the emails as well as the attachments, if any, included in the emails.

Forensic reports are generated immediately after detecting a DMARC authentication failure. In order to start receiving forensic reports on your email, you are required to set up a DMARC policy with a request for forensic reports.

This can be done by including a tag ruf=mailto:{your email address}. Once you have set up the DMARC record, the receiving mail server will send the forensic reports to the email address provided by you in the ruf tag.

The forensic report contains the following information –

IP Information: This gives the IP addresses that have sent the emails.

Time: Forensic report also shows the time at which the message was received by the ISP.

Authentication-Results: The report shows whether the emails have passed the SPF, DKIM and DMARC authentication.

ISP Information: The report also contains information about the server which has sent the report.

From Domain Information: The report contains From address, mails from address, DKIM from address.

Subject line: This is the subject line of the message. This is not shown in the aggregate report.

URLs: Forensic report also gives details about the URLs attached to the emails.

Delivery Result: It shows whether the mail falls under the reject, quarantine or no policy. Hts depicted in the forensic report.

These are the useful insights given in the forensic report.

Information given by DMARC comes as feedback reports generated by the receiving mail server after detecting a DMARC authentication failure. DMARC reports identify all your email streams, determine illegal sources and make sure all legal sources pass authentication.

It is very crucial to set up SPF, DKIM and DMARC records to ensure good email deliverability. This will increase the responses on your emails and hence increment sales.