DMARC forensic/failure reports

Failure/Forensic Report? What’s that?

What is a forensic report?

There are two types of DMARC reports. The aggregate reports and the failure reports (also called forensic reports). Data from aggregate reports are included most basic DMARC reports and can be viewed in Fraudmarc’s DMARC and senders reports.

The failure reports are different; they provide insight into the email messages that failed authentication. These reports can include information on the email such as the subject line, header information, and any link contained in the body of the message. There are a few things to consider about failure reports:

1. Not all email receivers send failure reports.

Failure reports are optional, and not all DMARC reporters are on board with them. Some of the main concerns are around privacy and volume.

Privacy: Because failure reports can contain most or all of the original message, they sometimes contain personally identifiable information (PII) despite redactions.

Volume: Failure reports are typically generated immediately after a receiving server detects a single message failure, which could quickly get out of control as far as volume. In practice, this is not the case. In fact, it’s quite the opposite. Most domains receive very few failure reports from reporter even when their failure rate is high. They give domain owners a sampling of the failed messages, not an exhaustive list

Therefore, only some reporters send failure reports and only some of the time. Microsoft, NetEase, LinkedIn, and a few smaller reporters are the main reporters who send failure reports. You won’t see any failure reports from Google or Yahoo.

2. Failure reports can decrease the time required to implement Reject

Because of the information that is often included in failure reports, they can be incredibly useful in determining if a sender needs to be reconfigured or a domain needs to move to a stricter policy to protect from spoofing

3. The format is not consistent between reporters

Failure reports do not come in one standard form, and may or may not include information such as the sending IP address, the subject line, to and from addresses, and the body of the message with any links.

Failure reports: yes or no?

Some domain owners who are concerned with PII-related issues choose to disable failure reports. However, they often offer substantial value when used to configure senders and move to a strict policy more quickly. The choice is up to the domain owner.

Fraudmarc can help

When enabled, we collect and display failure reports to allow domain owner to use this valuable information to authorize those they want and move faster towards blocking spoofed messages.

Menu