Back to Community Threads
3
question about repeated DMARC reports
Question asked by Eric Bourland - 12/5/2017 at 7:45 AM
Unanswered
Hi, friends. May I ask your advice regarding DMARC? I have been getting a lot of DMARC reports, and so have my clients. Frankly, I am not sure what to do with these reports. I have DMARC properly configured for many domains on my SmarterMail server, but what should I do when I get a report like the one, below? Is the report telling me I need to change something? Thank you for your advice. Eric
 
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>xs4all.nl</org_name>
    <email>noreply@dmarc-reports.xs4all.net</email>
    <extra_contact_info>mailto:admin@dmarc-reports.xs4all.net</extra_contact_info>
    <report_id>xs4all.nl.1512433927.629.1137</report_id>
    <date_range>
      <begin>1512345600</begin>
      <end>1512432000</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>potentiaconcepts.com</domain>
    <adkim>s</adkim>
    <aspf>s</aspf>
    <p>none</p>
    <sp>none</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>199.73.56.66</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>potentiaconcepts.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>potentiaconcepts.com</domain>
        <result>pass</result>
      </dkim>
      <spf>
        <domain>potentiaconcepts.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
</feedback>
 

4 Replies

Reply to Thread
0
Eric Bourland Replied
12/5/2017 at 6:21 PM
I think this is just an aggregated DMARC report; but I receive several of these every day, sometimes for the same domain. It seems to me that I receive many more of these reports than I used to. I suppose my real question is, should I be concerned about any of this? Thank you again for your wise advice regarding the management of a DMARC rule.
3
Scarab Replied
12/6/2017 at 1:26 PM
As DMARC has become more widely adopted you will inevitably see an increase in DMARC reports. I cannot stress highly enough that you want DMARC reports to go to a unique address that is used only for collecting DMARC reports (i.e. dmarc@domain.tld). That said, unless you are using a 3rd Party utility to parse DMARC reports (we used to use DMARC Analyzer but there are many other solutions) then after a period of time when you are certain that all emails from a domain are passing DMARC (30 days is usually ample enough time) you would want to set the policy (p= modifier) from "none" to either "quarantine" or "reject". This will dramatically reduce the number of DMARC reports you receive considerably as only those emails that fail will result in a DMARC report being sent (a p="none" will result in a DMARC report for passes and fails).
 
It is important to periodically review or audit these DMARC reports (which is why using a 3rd Party monitoring tool is useful). Most failures will be caused by Spoofed emails but invariably you'll have customers who will get a new network printer that they don't setup SMTP Authentication for, or will sign-up for QuickBooks or a Marketing Service such as Constant Contact or MailChimp which will cause emails from their domain to no longer be aligned with their SPF Records or using DKIM. To resolve these issues you would have to update their SPF or DMARC policies accordingly.
 
However, as long as you have p=none in your DMARC policy and the policy_evaluated and auth_results show "Pass" for both SPF and DKIM then you can safely ignore that report (and if a domain routinely gets passing marks then you can safely set your DMARC p= to a more restrictive modifier).
0
Eric Bourland Replied
12/6/2017 at 9:17 PM
Scarab, this is a really useful and thorough reply. Thank you as always for your guidance. Eric
0
Tim Uzzanti Replied
12/7/2017 at 7:49 AM
Employee Post
Nice answer. Appreciate the participation!
Tim Uzzanti CEO SmarterTools Inc. www.smartertools.com
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Messages to Yahoo! Emails are Temporarily DeferredSmarterMail > Troubleshooting
Find a Compromised AccountSmarterMail > Troubleshooting
Configure SSL/TLS to Secure SmarterMailSmarterMail > Server Configuration and Management
Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
Flex Billing for Microsoft Exchange ActiveSyncGeneral Topics