Do you wish DMARC data also provided recipient information? The common aggregate report is known to contain very few domain identifying information. It typically contains:
- From header domain
- The RFC5321 Mail.From or EHLO/HELO domain
- The sender’s DKIM signing domain
There is a less common tag that is currently found only in reports provided by Microsoft for both their exchange online enterprise product as well as their free consumer webmail product. When digging into those reports, you can find additional information under the tag of the report in the form of a <envelope_to> tag.
This tag reports the domain hosted on Microsoft which received the email in question.
<identifiers>
<envelope_to>hotmail.com</envelope_to>
<envelope_from>example.com</envelope_from>
<header_from>example.com</header_from>
</identifiers>
This information can be useful in some circumstances, especially if the recipient domain is a recognized partner or organization. Another useful application of this information is for organizations who use Microsoft 365 or Exchange Online, and you are attempting to identify a third party system sending emails on behalf of your domain. Any reports from Microsoft with the provider name of “Enterprise Outlook” is for their enterprise product, and could be your tenant. Looking at the <envelope_to> can confirm whether or not you are receiving such emails, and if an email trace or search in Microsoft Defender might product results.
I hope this helps!
