Double your DMARC fun with two reporting destinations


I was talking to a friend last week about DMARC reports. Her friend, who’s a bit of an email nerd (yay!) runs his own email domain and has DMARC reports for his own domain coming back directly to him. He does this because he’s got that nerd gene and putting those DMARC reports right in front of him helps to give him a chance to learn about DMARC and its reporting. (Where it leads back to me is that he had a question about something he found in an XML report, and he asked my friend, who asked me about it. Was this XML report reflective of an email being sent from platform X? It's not always easy to know from just looking at raw IP addresses.)

Except! Wouldn’t it be nice if he also had a DMARC reporting tool building a dashboard and map, showing sending sources and locales for all the email using his domain name? That way he wouldn’t have to manually identify IP addresses from the XML-structured DMARC report email content.

The DMARC standard is structured in a way where it’s easy to have it both ways. You can still have DMARC reports come to YOU, if you want, but ALSO have them fed into a DMARC reporting tool.

The trick to do that is a simple one: In your domain's DMARC record, just take the “RUA” field – where you put your aggregate reporting email address – and add a second address (along with a second “mailto”).

Your DMARC record would look something like this: 
  • Before: v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@wombatmail.com
  • After: v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc_agg@vali.email,mailto:dmarc@wombatmail.com
Originally, DMARC reports for my domain wombatmail.com were being emailed to dmarc@wombatmail.com, a specific mailbox in that domain, where I can go search for and investigate DMARC XML file reports as desired. But now, DMARC reports are also being sent into my Valimail Monitor account (disclaimer: I work for Valimail), so the data in these reports feeds my Monitor dashboard, showing email sending sources and geolactions of both suspicious and legitimate email activity.

In short; the best of both worlds! I can geek out with the XML on demand, but I now also have the ability to get easier-to-digest visual reporting and track activity over time without having to manually compile data on my own.
1 Comments

Comments

  1. I do something similar as I’m frequently asked about different tools (including Valimail) and which is best for that particular client. However I setup a distribution list and have all the mail sent there, then it relays to the various DMARC reporting tools. If I need to add a new tool for testing/demo/review I just update the distribution list and the next time it’s done. So far I’ve not run into any issues with this setup.

    This setup also helps get around the limit of max two RUA addresses in the DMARC standard.

    ReplyDelete

Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.