3
question about repeated DMARC reports
Question asked by Eric Bourland - 12/5/2017 at 7:45 AM
Unanswered
Hi, friends. May I ask your advice regarding DMARC? I have been getting a lot of DMARC reports, and so have my clients. Frankly, I am not sure what to do with these reports. I have DMARC properly configured for many domains on my SmarterMail server, but what should I do when I get a report like the one, below? Is the report telling me I need to change something? Thank you for your advice. Eric
 
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>xs4all.nl</org_name>
    <email>noreply@dmarc-reports.xs4all.net</email>
    <extra_contact_info>mailto:admin@dmarc-reports.xs4all.net</extra_contact_info>
    <report_id>xs4all.nl.1512433927.629.1137</report_id>
    <date_range>
      <begin>1512345600</begin>
      <end>1512432000</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>potentiaconcepts.com</domain>
    <adkim>s</adkim>
    <aspf>s</aspf>
    <p>none</p>
    <sp>none</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>199.73.56.66</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>potentiaconcepts.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>potentiaconcepts.com</domain>
        <result>pass</result>
      </dkim>
      <spf>
        <domain>potentiaconcepts.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
</feedback>
 

4 Replies

Reply to Thread
0
Eric Bourland Replied
I think this is just an aggregated DMARC report; but I receive several of these every day, sometimes for the same domain. It seems to me that I receive many more of these reports than I used to. I suppose my real question is, should I be concerned about any of this? Thank you again for your wise advice regarding the management of a DMARC rule.
3
Scarab Replied
As DMARC has become more widely adopted you will inevitably see an increase in DMARC reports. I cannot stress highly enough that you want DMARC reports to go to a unique address that is used only for collecting DMARC reports (i.e. dmarc@domain.tld). That said, unless you are using a 3rd Party utility to parse DMARC reports (we used to use DMARC Analyzer but there are many other solutions) then after a period of time when you are certain that all emails from a domain are passing DMARC (30 days is usually ample enough time) you would want to set the policy (p= modifier) from "none" to either "quarantine" or "reject". This will dramatically reduce the number of DMARC reports you receive considerably as only those emails that fail will result in a DMARC report being sent (a p="none" will result in a DMARC report for passes and fails).
 
It is important to periodically review or audit these DMARC reports (which is why using a 3rd Party monitoring tool is useful). Most failures will be caused by Spoofed emails but invariably you'll have customers who will get a new network printer that they don't setup SMTP Authentication for, or will sign-up for QuickBooks or a Marketing Service such as Constant Contact or MailChimp which will cause emails from their domain to no longer be aligned with their SPF Records or using DKIM. To resolve these issues you would have to update their SPF or DMARC policies accordingly.
 
However, as long as you have p=none in your DMARC policy and the policy_evaluated and auth_results show "Pass" for both SPF and DKIM then you can safely ignore that report (and if a domain routinely gets passing marks then you can safely set your DMARC p= to a more restrictive modifier).
0
Eric Bourland Replied
Scarab, this is a really useful and thorough reply. Thank you as always for your guidance. Eric
0
Tim Uzzanti Replied
Employee Post
Nice answer. Appreciate the participation!
Tim Uzzanti CEO SmarterTools Inc. www.smartertools.com

Reply to Thread