What Are DMARC Failure Reports?

Typically, failure reports (or forensic reports) are generated and sent to outbound domain users immediately after the utilized mail receiver detects a DMARC failure. Instead of waiting for an aggregate report, failure reports are useful for quickly notifying the domain users when an authentication failure occurs. Whether the issue is due to an infrastructure problem or the message is inauthentic, these reports also provide more information about the failed message than an aggregate report offers. Therefore, depending on your company's needs, failure reports can be more beneficial and convenient for your business email delivery.

All forensic reports should include two key components:

• Any URI(s) from the message that failed authentication
• As much of the message/header needed to support the domain owner's investigation into what caused the message to fail authentication and identify the sender

Who Sends Failure Reports?

When a domain owner (you) requests failure reports for the purpose of forensic analysis, and the mail receiver is willing to provide such reports, the mail receiver creates and sends a message using a specific format for ease of use. The reports are generated in real-time and immediately sent to you for review.

Failure Reports Tags

The destination(s) and nature of forensic reports are defined by the "ruf" and "fo" tags.

• RUF Report Email Address Tag: Like the rua tag, the ruf designation is an optional tag. It directs addresses to which message-specific forensic information is to be reported (i.e., comma-separated plain-text list of URIs). An example is: ruf=mailto:CUSTOMER@for.example.com.
• Forensic Reporting Options (FO) Tag: The fo tag pertains to how failure/forensic reports are created and presented to DMARC users.

If multiple URIs are selected to receive failure reports, the report generator must attempt to deliver the requested information to each.

An obvious consideration is the denial-of-service attack that can be perpetrated by a fraudster who sends numerous messages purporting to be from the intended victim domain owner but that fail both SPF and DKIM. This instance would cause participating mail receivers to send failure reports to the domain owner or its delegate in potentially huge volumes. Accordingly, participating mail receivers are encouraged to aggregate these reports as much as possible. Moreover, several aggregation techniques are available, including the following:

• Only send a failure report to the first recipient of multi-recipient messages
• Store failure reports for a period of time before sending them, allowing detection, collection, and reporting of similar incidents
• Apply rate limiting, such as a maximum number of failure reports per minute that will be generated (and the remainder discarded)

Again, the purpose of implementing failure reports is to receive real-time feedback regarding any DMARC failures encountered. Implementing these reports will improve your email delivery by providing valuable insight about potential DMARC issues. Contact our MxToolbox team of experts for more information.

So, How Do I Take Action?