Understanding DMARC Report and Manage Your DMARC Aggregate & Forensic Reports - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Sunday, November 5, 2023

Understanding DMARC Report and Manage Your DMARC Aggregate & Forensic Reports

DMARC reports are organized DMARC authentication and sender alignment data that are typically delivered to a designated email address or accessible through a web-based portal. Once you have the reports, you can analyze them to gain insights into the DMARC authentication status and handling of email messages sent from your domain.

In this Blog Post, I will show you some online websites with useful tools to help you manage your DMARC reports.


 

Check Your Domain DMARC/SPF/DKIM Status

https://dmarcian.com/domain-checker/







Configure DMARC

Some resources we can use online for DMARC deployment:

1 Proofpoint has a free interactive tool to create your DMARC record here.

2 https://mxtoolbox.com/dmarc/details/dmarc-tags

3 DMARC Report (https://app.dmarcreport.com/) (jy @ 51sec): Manage and monitor your DMARC configuration and reports 

4 https://app.easydmarc.com/

5 https://dmarcian.com/domain-checker/


DMARC uses a combination of SPF and DKIM to authenticate email. An email needs to pass either SPF or DKIM to pass DMARC and be delivered successfully. And it also adds one key feature that makes it far more effective than SPF or DKIM alone: Reporting.



  • Policy set to none

    Console
    _dmarc.contoso.com 3600 IN  TXT  "v=DMARC1; p=none"
    
  • Policy set to quarantine

    Console
    _dmarc.contoso.com 3600 IN  TXT  "v=DMARC1; p=quarantine"
    
  • Policy set to reject

    Console
    _dmarc.contoso.com  3600 IN  TXT  "v=DMARC1; p=reject"
    

Once you've formed your record, you need to update the record at your domain registrar.




DMARC configuration


For example, for 51sec.org site, we can create one _dmarc TXT record:
  • TXT     _dmarc        v=DMARC1; p=reject; adkim=r; aspf=r; rua=mailto:[email protected]





Understand DMARC Report

You might received a DMARC Aggregate Report from different email provider, such as Microsoft, Google, as show below. 



The report should contain information about your ISP, source IP, sender address, server and authentication status. 

In the raw file for your reports, you can find information about:

  •  Your ISP, the name of your email service provider

<?xml version=”1.0″ encoding=”UTF-8″ ?>

<feedback>

  <report_metadata>

    <org_name>google.com</org_name>

    <email>[email protected]</email>

   <extra_contact_info>http://google.com/dmarc/support</extra_contact_info>

  •  The report ID number

 <report_id>8293631894893125362</report_id>

  • The beginning and ending date range (in seconds)

<date_range>

      <begin>1234573120</begin>

      <end>1234453590</end>

    </date_range>

Note: You can check the time from https://www.epochconverter.com/


  • Your DMARC record specifications as published in your domain’s DNS

 <policy_published>

    <domain>yourdomain.com</domain>

    <adkim>r</adkim>

    <aspf>r</aspf>

    <p>none</p>

    <sp>none</sp>

    <pct>100</pct>

  </policy_published>

  • IP address of the sending source

<source_ip>302.0.214.308</source_ip>

  • An overview of your authentication results (SPF and DKIM pass/fail result summary)

  <policy_evaluated>

        <disposition>none</disposition>

        <dkim>fail</dkim>

        <spf>pass</spf>

      </policy_evaluated>

  • From: domain

 <header_from>yourdomain.com</header_from>

  • DKIM authentication results

<dkim>

        <domain>yourdomain.com</domain>

        <result>fail</result>

        <human_result></human_result>

      </dkim>

  • SPF authentication results

<spf>

        <domain>yourdomain.com</domain>

        <result>pass</result>

      </spf>




A real life example report which shows someone is spoofing my domain to send an email to hotmail.com

<?xml version="1.0"?>
<feedback xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <version>1.0</version>
  <report_metadata>
    <org_name>Outlook.com</org_name>
    <email>[email protected]</email>
    <report_id>ab0f1e00f37c4e5699ad3918b6694d18</report_id>
    <date_range>
      <begin>1698969600</begin>
      <end>1699056000</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>51sec.org</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>quarantine</p>
    <sp>quarantine</sp>
    <pct>100</pct>
    <fo>1</fo>
  </policy_published>
  <record>
    <row>
      <source_ip>38.121.105.168</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>quarantine</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>

      </policy_evaluated>
    </row>
    <identifiers>
      <envelope_to>hotmail.com</envelope_to>
      <envelope_from>51sec.org</envelope_from>
      <header_from>51sec.org</header_from>
    </identifiers>
    <auth_results>
      <spf>
        <domain>51sec.org</domain>
        <scope>mfrom</scope>
        <result>fail</result>
      </spf>
    </auth_results>
  </record>
</feedback>


You can check the ip to see if it is making sense to you where you might have sent out an email to hotmail.com. If you have no idea about this ip and sent-to-domain hotmail.com, most likely, someone is trying to spoof your domain to send emails to hotmail.com.

Here is how it looks like from dmarcreport.com website with this reported DMARC record.







References


  • https://powerdmarc.com/how-to-read-dmarc-reports/







No comments:

Post a Comment