DMARC Reports: Embrace Them! (Part I)

First, congratulations on the implementation of DMARC for your organization. It’s one of the best steps you can take to protect your organization’s email domain and brand.

So, what should you do now? Well that really depends on the policy level you have set.

If you are starting off at policy level None, which you should be, then there are still a few actions that need to be taken. Policy level None is meant only to monitor the impact of DMARC for the organization. This level does not benefit the organization or its partners/consumers/consumers.  You need to move to the policy level set to Quarantine or Reject to have an impact.

So why have a policy level None?

Well, this is to make sure that you have set up SPF and DKIM appropriately for your email domain(s). At policy level None, it is important to review the reports received to confirm that all authorized mail systems are present in SPF, and that DKIM is being used by all email domains associated with the organization.


DMARC reports will inform you of which messages passed or failed DMARC checks. This capability can also provide more direct visibility into your infrastructure by providing insight into misconfigurations or new legitimate email-based services that may stand up for your organization without your knowledge. Some emails could be sent from third-party vendor systems that finance, marketing, PR, or sales staff are using to send bulk messages. These could be surveys (e.g., MailChimp, SurveyMonkey), customer relations management (e.g., Salesforce, Hubspot), or outsourced marketing firms.

Additionally, these reports can also be beneficial for collecting defensive threat intelligence by potentially identifying interesting spear phishing campaigns, unknown IPs trying to send email on your behalf.

Just note, reviewing reports can be very time consuming depending on the size of the organization and the amount of email being sent.

DMARC has two types of reports, the aggregate report and the forensic report. Both reports are sent by participating recipient email servers to the sending organization. However, in order to receive these reports, the rua (aggregate) and ruf (forensic) tags must be included. At a minimum, all organizations should get the aggregate reports.

These reports can be sent to anyone within the organization. However, it is strongly recommended to send the reports to a group account rather than individual accounts, especially in mid to large-sized organizations. Otherwise your inbox could get flooded with reports. Also, your DMARC policy is public record, therefore, anyone can find your email address and start spamming it.

Our next blog in this three-part series will focus on the difference between aggregate and forensic reports. Stay tuned!