Why do I receive a DMARC report every day?

Published in

on

You would have been set up with DMARC for your emails and now you are receiving emails every day, and the mail has nothing but a Report ID and a zipped XML attachment.

DMARC

You may be wondering, I have just done all this for enhanced security and nothing else. Then, why do I get the email every day from noreply-dmarc-support@google.com?

When the XML file is read, it looks like this:

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
    <report_metadata>
      <org_name>google.com</org_name>
      <email>noreply-dmarc-support@google.com</email>
        <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
        <report_id>3040679988804443845</report_id>
        <date_range>
            <begin>1680307200</begin>
            <end>1680393599</end>
        </date_range>
    </report_metadata>
    <policy_published>
        <domain>atulhost.com</domain>
        <adkim>s</adkim>
        <aspf>s</aspf>
        <p>reject</p>
        <sp>reject</sp>
        <pct>100</pct>
    </policy_published>
    <record>
        <row>
            <source_ip>101.102.103.104</source_ip>
            <count>1</count>
            <policy_evaluated>
                <disposition>none</disposition>
                <dkim>pass</dkim>
                <spf>pass</spf>
            </policy_evaluated>
        </row>
        <identifiers>
            <header_from>atulhost.com</header_from>
        </identifiers>
        <auth_results>
            <dkim>
                <domain>atulhost.com</domain>
                <result>pass</result>
                <selector>zmail</selector>
            </dkim>
            <spf>
                <domain>atulhost.com</domain>
                <result>pass</result>
            </spf>
        </auth_results>
    </record>
</feedback>
<?xml version='1.0' encoding='utf-8'?>
<feedback>
    <report_metadata>
        <org_name>Mail.Ru</org_name>
        <email>dmarc_support@corp.mail.ru</email>
        <extra_contact_info>http://help.mail.ru/mail-help</extra_contact_info>
        <report_id>87811006382192030281681084800</report_id>
        <date_range>
            <begin>1681084800</begin>
            <end>1681171200</end>
        </date_range>
    </report_metadata>
    <policy_published>
        <domain>atulhost.com</domain>
        <adkim>s</adkim>
        <aspf>s</aspf>
        <p>reject</p>
        <sp>reject</sp>
        <pct>100</pct>
    </policy_published>
    <record>
        <row>
            <source_ip>111.112.113.114</source_ip>
            <count>1</count>
            <policy_evaluated>
                <disposition>reject</disposition>
                <dkim>fail</dkim>
                <spf>fail</spf>
            </policy_evaluated>
        </row>
        <identifiers>
            <header_from>atulhost.com</header_from>
        </identifiers>
        <auth_results>
            <spf>
                <domain>atulhost.com</domain>
                <scope>mfrom</scope>
                <result>softfail</result>
            </spf>
        </auth_results>
    </record>
</feedback>

For security concerns, I have changed sensitive information to random numbers.

Sometimes, I get a similar kind of email from other email services like outlook.com, yahoo.com, yandex.ru, mail.ru, etc. But the matter of content is almost the same.

Is something wrong or misconfigured?

No, nothing is misconfigured, the text record you have added to DNS is doing all this.

Do not worry, it is all good. You are getting this mail confirming that you have configured everything correctly and this is just a confirmation message that you are receiving.

Here is the explanation for this:

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is in fact a ruleset made for reporting back to you on the quality of the email messages received from your domain. Kind of confirmation mail that everything is working.

You are receiving those XML reports because it’s what you asked with the rua=mailto:email@example.com; part of your DMARC TXT record.

Below is a sample DNS entry of the DMARC TXT record. Yours could be different.

"v=DMARC1;p=reject;pct=100;rua=mailto:email@example.com"

Please, read the specification (RFC 7489).

RUA stands for “Reporting URI of Aggregate” reports.

Using it you are telling every DMARC-compliant recipient server to send you a (daily) aggregate report for the emails it receives by you or sent on your behalf.

Have a look at dmarc.org where you can find a nice overview of the system.

In Google’s case, what Google is trying to say is that messages received by Gmail servers were correctly signed (DKIM) and sent from authorized IPs (SPF). Based on this, we can say that Google has only received legitimate messages from your domain.

Usually, organizations use a different email ID for such things (that is only used by admins) and other users don’t get such kind of email. Since you have made your own email service and using the same email for DMARC records, you are getting such emails.

Leave a Reply

Your email address will not be published. Required fields are marked *