I decided it was about time that I sat down and tried to understand these reports, and I think that I now have a better understanding of the reports.
Below, is the current published DMARC record for one of my domains. The record that I originally had (and which had generated this DMARC report) was to provide an aggregate (rua) report, but I have now changed it to provide only a failure (ruf) report:
v=DMARC1; p=reject; ruf=mailto:[email protected]; adkim=r; aspf=r;
Note, that I have used ‘example.com’ as the domain, instead of my actual domain name.
As for the received DMARC report (in XML format) – that was generated based on my original DMARC record – this is broken down into sections, with a real received example of a RUA (Aggregate) report:
Above is the first section of the report, it contains information about the ISP (here it’s kddi.com), their email address, etc.
Next up, it’s the report ID:
Followed by the date range:
Use https://timestamp.online/ to convert this: For example:
1731881931 = 17/11/2024, 22:18:51
1731904700 = 18/11/2024, 04:38:20
Next is policy published:
Next is the source (as an IP address) of the sender and how many attempts:
A check of the IP address shows the location of the sender as ‘Lagos, Lagos, Nigeria’.
Next is policy evaluated:
This says rejected – DKIM and SPF both failed.
Next, the domain that was the sender:
And finally, the auth results:
This says that both DKIM and SPF have failed, therefore the email was rejected.
As I did not send the email in question myself, the DMARC record has done it’s job and rejected the email as not being legitimate – success!
I don’t have any recent DMARC failure reports (in TXT format) to compare with the above aggregate report, but I may update this post when one becomes available.
Finally: Just to say, this is not an expert definitive analysis, but just my rudimentary understanding!