DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a tool that helps protect email domains from being used for spam or phishing. One of the key parts of DMARC is the feedback it provides to domain owners in the form of failure reports. But what are these reports and how do they work? Here’s a simple explanation.
What Are Failure Reports?
Failure reports are sent by a mail receiver (like an email service) almost immediately after it detects a problem with DMARC. These reports are useful because they let the domain owner know quickly when there’s an authentication failure.
This could be because there’s a problem with the domain’s infrastructure, or because the message isn’t authentic. Failure reports also provide more information about the failed message than aggregate reports do.
What’s in a Failure Report?
A failure report should include any URIs from the message that failed authentication. It should also include as much of the message and its header as possible. This helps the domain owner investigate why the message failed authentication and find out who sent it.
When a domain owner asks for failure reports for forensic analysis, and the mail receiver is willing to provide these reports, the receiver generates and sends a message in a certain format. This format is described in a document called [AFRF].
The destinations for the reports and what they contain are defined by the “ruf” and “fo” tags in the domain’s DMARC policy.
If there are multiple URIs selected to receive failure reports, the receiver should try to deliver the report to each of them.
How Are Failure Reports Protected Against Abuse?
There’s a risk that an attacker could send lots of messages pretending to be from the domain owner, but that fail SPF and DKIM checks. This would cause the mail receiver to send lots of failure reports to the domain owner, which could be a form of denial-of-service attack.
To protect against this, mail receivers are encouraged to aggregate these reports as much as possible. They can do this in several ways, such as:
- Only sending a report for the first recipient of a message that’s sent to multiple recipients.
- Storing reports for a while before sending them, which allows the receiver to detect, collect, and report similar incidents.
- Applying rate limiting, such as only generating a certain number of reports per minute and discarding the rest.
Remember, this is a simplified explanation. In reality, creating and sending DMARC failure reports involves a lot of complex processes and technologies. But hopefully, this gives you a basic understanding of how it works.
Was this helpful?
1 / 0