Understanding DMARC reports

EMD
A serious looking caricature of myself, sitting at my computer, and focused on the screen in front of me.
Today I replied to someone with "they/them" pronouns in their email signature by hitting "reply all".

I decided it was about time that I sat down and tried to understand these reports, and I think that I now have a better understanding of the reports.

Below, was the (then) current published DMARC record for one of my domains. The record that I originally had (and which had generated this DMARC report) was to provide an aggregate (rua) report, but I have now changed it to provide only a failure (ruf) report:

v=DMARC1; p=reject; ruf=mailto:dmarc@example.com; adkim=r; aspf=r;

Note, that I have used ‘example.com’ as the domain, instead of my actual domain name.

As for the received DMARC report (in XML format) - that was generated based on my original DMARC record - this is broken down into sections, with a real received example of a RUA (Aggregate) report:

<?xml version="1.0" encoding="UTF-8"?>
<feedback>
<version>1.0</version>
<report_metadata>
<org_name>kddi.com</org_name>
<email>noreply-dmarc-support@kddi.com</email>
<extra_contact_info>https://support.kddi.com/dmarc</extra_contact_info>

Above is the first section of the report, it contains information about the ISP (here it's kddi.com), their email address, etc.

Next up, it’s the report ID:

<report_id>20241118133820067715</report_id>

Followed by the date range:

<date_range>
<begin>1731881931</begin>
<end>1731904700</end>
</date_range>

Use https://timestamp.online/ to convert this: For example:

1731881931 = 17/11/2024, 22:18:51

1731904700 = 18/11/2024, 04:38:20

Next is policy published:

<policy_published>
<domain>example.com</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>reject</p>
<sp>reject</sp>
<pct>100</pct>
<fo>0</fo>
</policy_published>

Next is the source (as an IP address) of the sender and how many attempts:

<source_ip>165.154.234.207</source_ip>
<count>1</count>

A check of the IP address shows the location of the sender as ‘Lagos, Lagos, Nigeria’.

Next is policy evaluated:

<policy_evaluated>
<disposition>reject</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
<reason>
<type></type>
<comment></comment>
</reason>
</policy_evaluated>

This says rejected - DKIM and SPF both failed.

Next, the domain that was the sender:

<identifiers>
<envelope_to>ezweb.ne.jp</envelope_to>
<envelope_from>example.com</envelope_from>
<header_from>example.com</header_from>
</identifiers>

And finally, the auth results:

<auth_results>
<dkim>
<domain></domain>
<selector></selector>
<result>none</result>
<human_result>no signature data</human_result>
</dkim>
<spf>
<domain>example.com</domain>
<scope>mfrom</scope>
<result>fail</result>
</spf>
</auth_results>

This says that both DKIM and SPF have failed, therefore the email was rejected.

As I did not send the email in question myself, the DMARC record has done it's job and rejected the email as not being legitimate - success!

I don't have any recent DMARC failure reports (in TXT format) to compare with the above aggregate report, but I may update this post when one becomes available.

Finally: Just to say, this is not an expert definitive analysis, but just my rudimentary understanding!