DMARC Report Analyzer
With the DMARC report analyzer tool, you can upload your XML report file to convert it into a human readable format.
What is DMARC?
Domain -based Message Authentication Reporting and Conformance (DMARC) is a type of TXT record that helps servers take action on emails when they fail SPF/DKIM policies. DMARC policies prevent email spoofing. SPF, DKIM, and DMARC all work together to act as a background check mechanism, ensuring that an email is sent from a legitimate mail server.
How does a DMARC report work?
When an email is sent from your inbox, an authentication check happens at the receiving end to validate for spoofing and legitimacy. If the email fails the authentication check, the server applies DMARC policy to understand the action that needs to be taken for the email and creates a DMARC report. The policy has tags that let you customize when to create a report, its email frequency, and the format.
DMARC report types
DMARC reports are often .xml-based, containing information about the emails sent from the domain and their SPF/DKIM status. There are two types of reports: Aggregate reports and forensic reports.
Aggregate report:
This report contains the status of email authentication mechanisms like SPF and DKIM checks. It provides information on the sender IP address, the number of emails sent, date ranges, SPF and DKIM authentication results, and their email service provider (ESP).
Forensic report:
This report is generated only when an email fails the authentication check. It carries crucial and confidential information that helps you identify, validate, and block the email server with unauthorized access to send emails. The report includes information such as the sender address, receiver email address, source IP, time the email was sent, email header, and subject line, along with the authentication result.
DMARC report generation
When defining your DMARC record, you must use tags to specify the action to be taken if the authentication mechanism fails. You can designate the email address to receive the report and determine when the server should generate and send reports. You must include the "rua" and "ruf" tags to ensure that the reports are sent to your designated mailbox. When an aggregate report is generated, the server takes the email address from the rua tag and when a forensic report is generated, it capture the address from ruf tag. A sample tag looks like this:
rua = mailto:dmarc-report@abc.com
DMARC report analyzer
With the help of Zoho Toolkit, you can view DMARC reports in human readable formats. Often, the reports generated by these receiving servers are in xml format, which is quite difficult for users to understand. When you receive the report in your email, simply copy and paste the xml file into Toolkit. The DMARC analyzer lists all of the necessary information in a form that is easier to view and understand.
Frequently Asked Questions
What happens when an email fails the authentication process?
We can either send the emails without performing any actions, or we can map them to quarantine, where they will end up in the receiver's spam folder. Alternatively, we can reject and drop the email. All three scenarios can be mentioned using the "P" tag while defining the DMARC policy. For instance, the P tag can hold any one of the following actions: P = quarantine/none/reject.When is a DMARC report generated?
It depends on the frequency set during the creation of a DMARC record. A DMARC report can be generated under three scenarios, and the "fo" tag holds the state when a record needs to be created. The fo=0 is mapped when both SPF and DKIM check fails, fo=1 when either one of the mechanism fails, and fo=s will be marked when there is a fail in the SPF record. The reports will be generated based on the flag marked in the tag.How often do we need to generate this report?
This purely depends on your email usage. For every email server you send an email to, you'll get an email report in return. Using a separate mailbox or group email to receive such reports is generally recommended.