FAQ: DMARC Reports

Q: Where are the Forensic reports?
A: Please see this article: https://dmarcian.com/where-are-the-forensicfailure-reports/

Q: Can you tell me where to find more information about email messages that the dmarcian UI is showing in the Detail Viewer? (generally because I need to track down by-who/why the indicated traffic is being sent)
A: All of the information conveyed over DMARC is already shown in the report. To find out more about these messages, you will have to capture them either on your end or at the receiving end. This can be difficult to do without already having some of the data you’re looking for, so many customers often resort to sending a broad poll at their company to identify the source/user.

Q: I sent X number of messages yesterday, but the reporting is only showing Y of them. Where are the rest?
A1: Not every environment participates in DMARC reporting. While logged in, navigate to Tools -> Data Providers to see a complete list of sources which have sent DMARC data in the past 7 days.
A2: DMARC data is reported on a 24-hour UTC midnight to midnight window, and large environments in particular can take a long time to collate and send the prior day’s data. So data for March 15th might not be displayed until fairly late on March 16th.

Q: Why does Domain Overview show my domain as ‘inactive’?
A: Domains are slotted as ‘inactive’ until dmarcian receives DMARC reports which show traffic for them.

5. Q: We do like the visualization that dmarcian gives us but are unsure what to do with this information to ensure a more secure environment. Any help and suggestions would be greatly appreciated.
A: If you haven’t yet looked at this resource, it is a good free place to start: https://dmarcian.com/getting-started-with-dmarcian/

Additionall we have a video series that is helpful too: https://dmarcian.com/category/video/

If you’ve already looked at those resources, and you still have questions, please let us know and we’ll be happy to address it with you. We also offer dedicated support options and if you’re interested, I provide you with that information. We appreciate this type of feedback and are using it to improve our reports and to create videos and tutorials that will make learning about DMARC easier.

Q: What does this message mean?: “The domain has sources of email that are not yet compliant.” Publishing a stronger DMARC policy may result in legitimate email being quarantined or rejected.
A: This is telling you that some messages are not passing DMARC and that they may not get delivered as intended. If you’ve validated all legitimate sources or email, then this message is a good thing. We recommend monitoring your email for a minimum of two weeks before moving to a stricter policy such as p=quarantine or p=reject

Q: Why does Domain Overview show DKIM as ‘no signing’?
A: DKIM signing status depends on dmarcian receiving DMARC data which reports DKIM signing on authenticated traffic for the given domain. If reports on email have been received but there is no DKIM data reported, the status will show as ‘no signing’ with a red background. If there have been no reports on email sent, there can be no data. The app will still indicate ‘no signing’ and under those circumstances, display with an orange background.

Q: How can I see the body of emails that fail DMARC?
A: Forensic reports can theoretically capture that information. We have a Forensic Viewer in our app. You’ll need to manually upload xml reports, forward them to us, or point your ruf record to us (the easiest method).There are two things to keep in mind regarding forensic reports:

  1. Many mail receivers will only send aggregate reports because they could potentially have millions of forensic reports to send each day.
  2. These reports are often heavily redacted due to privacy concerns and GDPR.