Back to Course
Լight modeDark mode

DMARC Forensic Report Views

What are DMARC Failure/Forensic Reports (RUF)? 

DMARC Failure/Forensic Reports are generated when outgoing emails sent from your domain do not align with SPF or DKIM, thereby failing DMARC authentication on your receiver’s end. DMARC forensic reports are thereby important to analyze and detect domain spoofing activities and attempts at brand impersonation by fraudsters. 

When are DMARC Forensic Reports generated? 

If you have DMARC monitoring and reporting enabled for your domain, a DMARC forensic report will be sent whenever your emails fail DMARC authentication on your receiver’s end. It usually highlights a forensic incident such as an unauthorized IP trying to spoof your domain. 

Why haven’t I received any DMARC Forensic Reports?

If you haven’t received any DMARC forensic reports it can be because not all receivers support DMARC forensic reports. However, if you have it enabled for your domain and still have not received any reports, it just means that all your outbound emails have been DMARC authenticated and approved, and have been 100% DMARC compliant (successfully aligned against SPF/DKIM). Your domain has been safe from spoofing activities so far, so as not to trigger any forensic incident. 

Overview of Forensic Reports View 

In the DMARC forensic reports, you can filter results for a specific domain, by date range and subject of the forensic incident, and even search results for a particular hostname or IP of your choice.

 

The DMARC forensic reports on the PowerDMARC platform are sorted into tables with two columns: Subject and Count. "Subject" stands for the subject line of the email for which the forensic incident was triggered for a particular sending source or IP address, and the count is the number of emails sent from this source on behalf of your domain that failed DMARC authentication on your receivers’ end. 

 

Each of these rows can be cascaded, to reveal the IP address of the email sender, the sources’ full domain, the From address and domain name, feedback headers and mail headers. 

You can click on “View” underneath feedback headers and mail headers, to view the header details. 

What are Feedback Headers? 

Feedback headers are the headers of the email containing the forensic feedback reported by the mail receiver. 

What are Mail Headers? 

Email headers contain important information about the origin and path an email took before arriving at its final destination, including the sender’s IP address, email client, and even location. The information could be used to block future emails from the sender (in the case of spam) or to determine the legitimacy of a suspicious email. 

Note: In DMARC Forensic reports your feedback headers and mail headers can be encrypted using our PGP encryption feature. 

How do I export these reports as CSV?

On the PowerDMARC platform, you can directly download your DMARC forensic reports as CSV files with a single click: 

After downloading the CSV file you can view your forensic incident information in detail, as shown below: 

Email Authentication Reporting Tools >DMARC Forensic Report Views
Course content
Advanced Email Authentication Course