how to parse DMARC feedback from Comcast
Question asked by Eric Bourland - May 18, 2016 at 8:06 AM
Answered
Hi, friends. I participate in a feedback loop at Comcast and other ISPs. I get regular reports from the Comcast DMARC Report Generator <dmarc-support@alerts.comcast.net>. Here is one such report, below. But -- I am not sure what to do with the information contained in the report, or even if the report bears good or bad news. My mail server IP is 162.217.171.90. What should I make of the DMARC report, below? Thank you for any insights. I really appreciate your time.

Eric
 
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
    <version>1.0</version>
    <report_metadata>
        <org_name>comcast.net</org_name>
        <email>dmarc-admin@alerts.comcast.net</email>
        <report_id>v1-1463555953-cep-dc.org</report_id>
        <date_range>
            <begin>1463443200</begin>
            <end>1463529600</end>
        </date_range>
    </report_metadata>
    <policy_published>
        <domain>cep-dc.org</domain>
        <adkim>r</adkim>
        <aspf>r</aspf>
        <p>none</p>
        <sp>none</sp>
        <pct>100</pct>
        <fo>0</fo>
    </policy_published>
    <record>
        <row>
            <source_ip>162.217.171.90</source_ip>
            <count>34</count>
            <policy_evaluated>
                <disposition>none</disposition>
                <dkim>pass</dkim>
                <spf>pass</spf>
            </policy_evaluated>
        </row>
        <identifiers>
            <header_from>cep-dc.org</header_from>
        </identifiers>
        <auth_results>
            <dkim>
                <domain>cep-dc.org</domain>
                <result>pass</result>
                <selector>selector</selector>
            </dkim>
            <spf>
                <domain>cep-dc.org</domain>
                <scope>mfrom</scope>
                <result>pass</result>
            </spf>
        </auth_results>
    </record>
    <record>
        <row>
            <source_ip>17.172.109.149</source_ip>
            <count>1</count>
            <policy_evaluated>
                <disposition>none</disposition>
                <dkim>fail</dkim>
                <spf>fail</spf>
            </policy_evaluated>
        </row>
        <identifiers>
            <header_from>cep-dc.org</header_from>
        </identifiers>
        <auth_results>
            <dkim>
                <domain>comcast.net</domain>
                <result>pass</result>
                <selector>q20140121</selector>
            </dkim>
            <dkim>
                <domain>comcast.net</domain>
                <result>fail</result>
                <selector>q20140121</selector>
            </dkim>
            <dkim>
                <domain>cep-dc.org</domain>
                <result>fail</result>
                <selector>selector</selector>
            </dkim>
            <spf>
                <domain>cep-dc.org</domain>
                <scope>mfrom</scope>
                <result>fail</result>
            </spf>
        </auth_results>
    </record>
    <record>
        <row>
            <source_ip>17.172.109.150</source_ip>
            <count>1</count>
            <policy_evaluated>
                <disposition>none</disposition>
                <dkim>fail</dkim>
                <spf>fail</spf>
            </policy_evaluated>
        </row>
        <identifiers>
            <header_from>cep-dc.org</header_from>
        </identifiers>
        <auth_results>
            <dkim>
                <domain>comcast.net</domain>
                <result>fail</result>
                <selector>q20140121</selector>
            </dkim>
            <dkim>
                <domain>cep-dc.org</domain>
                <result>fail</result>
                <selector>selector</selector>
            </dkim>
            <spf>
                <domain>cep-dc.org</domain>
                <scope>mfrom</scope>
                <result>fail</result>
            </spf>
        </auth_results>
    </record>
    <record>
        <row>
            <source_ip>72.167.218.159</source_ip>
            <count>1</count>
            <policy_evaluated>
                <disposition>none</disposition>
                <dkim>pass</dkim>
                <spf>fail</spf>
            </policy_evaluated>
        </row>
        <identifiers>
            <header_from>cep-dc.org</header_from>
        </identifiers>
        <auth_results>
            <dkim>
                <domain>cep-dc.org</domain>
                <result>pass</result>
                <selector>selector</selector>
            </dkim>
            <spf>
                <domain>bounce.secureserver.net</domain>
                <scope>mfrom</scope>
                <result>pass</result>
            </spf>
        </auth_results>
    </record>
</feedback>
 

3 Replies

Reply to Thread
3
Scarab Replied
Marked As Answer
Eric,

The DMARC report shows 34 messages addressed from cep-dc.org that were received from your Mail Server, all of which passed SPF and DKIM. There were 2 messages that came from Apple.ME and 1 from GoDaddy that failed SPF.
 
If that domain is sending email through Apple.ME or GoDaddy then you would want to realign the SPF Record for the cep-dc.org domain accordingly. If those are not authorized senders then there is nothing you need to do.

There are programs and 3rd Party Services for compiling reports from the DMARC Reports that make it a lot easier to understand the results contained within them. To be honest it's been so long ago when I first rolled out DMARC policies for all of our hosted domains that I couldn't recommend one offhand. Once you are certain that a domain's SPF and DKIM is properly aligned and set your DMARC policy for a domain to quarantine or reject the only time you ever look back at DMARC reports is when a domain is getting lots of NDR bounce-backs when someone attempts to spoof their domain.
0
Scarab Replied
Eric,

Here are 3 third-party providers that compile human readable reports from your DMARC reports:

http://dmarc.postmarkapp.com/
https://dmarcian.com/
https://www.dmarcanalyzer.com/

We used the last one when first setting up. Like I said, you generally only need to actively monitor DMARC reports when you have your DMARC policy set to monitor. Once you are certain that your SPF is aligned properly and set your DMARC policy to quarantine or reject you will rarely (if ever) review those DMARC reports for your domains.
1
Eric Bourland Replied
Dear Scarab, this is reassuring and very helpful. You answered my question. Thank you so much.

All best,

Eric

Reply to Thread