Skip to content
  • There are no suggestions because the search field is empty.

Analyzing DMARC Failure Reports

DMARC failure reports (formerly known as forensic reports) are generated and sent almost instantly by mailbox providers when an email fails DMARC authentication. These reports contain detailed information about the failed message, allowing domain owners to investigate the cause and identify the sender.

EasyDMARC uses a specific address (defined in the ruf= tag) to receive and display these DMARC Failure reports directly in your dashboard.

Let’s dive into how to analyze the Failure Reports dashboard and understand everything you need to know:

Senders (Sending Sources): This section allows you to analyze the sources used by your domain to send emails that triggered DMARC failure reports. It helps identify the origin of potentially unauthorized or misconfigured messages.

1-Jul-18-2025-01-02-01-4666-PM

Receivers (Reporting Destinations): With this data, you can analyze the recipients (mailbox providers) that reported DMARC failures. This insight is crucial for understanding which destinations are flagging your emails.

google-1752843753575

Export Functionality: Our export feature enables you to download your DMARC failure data in CSV or PDF format. This is especially useful for sharing information with colleagues, managers, or other stakeholders.

google-1752843807191

Timeframe Selection: You can select any custom timeframe to view DMARC failure reports specific to that period. This is useful for identifying and analyzing incidents within a targeted date range.

google-1752843852773

Filtering: We offer flexible filtering options to help you locate specific issues and generate detailed, customized reports. This enhances your ability to isolate and resolve email delivery problems efficiently.

google-1752843874336

Report Details:

Before diving into individual failure reports, let’s review what each column in the dashboard represents:

Domain: The domain used to send the email that triggered the failure report.

Source: The IP address and PTR domain (sending source) that sent the email on your domain’s behalf (e.g., Google Workspace, Amazon SES).

Date: The timeframe in which the email was sent and the failure occurred.

Reporter: The receiving email service provider (ESP) that detected the failed email and sent the report to your RUF address.

From: The "From" address used in the email that failed authentication.

To: The recipient address to which the failed email was sent to.

Subject: The subject line of the failed email.

google-1752843895236

Viewing Specific Failure Report Details

Clicking on the domain listed next to a specific failure report will show more in-depth information, including:

Reported By: The email address (in our example, noreply-dmarc@frappemail.com) used by the reporter (e.g., frappemail.com, the receiving mail server) to send the forensic report to your RUF address.

Body: In some cases, the body of the failed email may be available for review (note that not all reporters include this).

Attachments/Links: If available, you can view and download any attachments or links that were part of the failed email.

Raw Header: This section contains the header of the failed email. Analyzing it can provide essential authentication and delivery details.

Key elements to check in the raw header:

Within the raw header, pay special attention to the Authentication-Results field — it includes the key authentication outcomes and is essential for identifying why the message failed.

  • IP address: Verify the IP and confirm whether it’s a legitimate sending source.
  • SPF authentication results: Check if SPF passed or failed.
  • DKIM authentication results: Check if DKIM passed or failed.
  • Envelope From (Return-Path/MailFrom): Compare this with the “From” address to assess SPF alignment.
  • d= domain: This is the DKIM signing domain — compare it with the “From” address to check DKIM alignment.
  • s= tag: Identifies the selector used to sign the email with DKIM.
  • DMARC results: See if DMARC passed or failed and review the dis= tag for the final action taken on the message.

Important Note: Receiving a DMARC failure report doesn’t always mean your email failed DMARC. These reports can be triggered by a failure in either SPF or DKIM. 

Since DMARC requires only one to pass (with alignment). Therefore, receiving DMARC Failure reports does not conclusively mean that those emails have failed DMARC.

The generation of DMARC Failure reports also depends on the configuration of the fo (Failure Options) tag in your domain’s DMARC record:

  • fo=0 – A failure report is generated only if both SPF and DKIM fail. (Default setting
  • fo=1 – A report is sent if either SPF or DKIM fails.
  • fo=d – A report is sent only if DKIM fails.
  • fo=s – A report is sent only if SPF fails.

Understanding and correctly setting the fo tag ensures that you're receiving the appropriate level of reporting based on your DMARC policy and investigative needs.

google-1752843991065

Do You Really Need DMARC Failure Reports?

In short, not necessarily.

Many major ESPs — including Google and Microsoft — do not support DMARC Failure reports. Since these reports may contain Personally Identifiable Information (PII), most providers choose to only send DMARC Aggregate reports instead.

Aggregate reports alone are already sufficient for gaining an overall understanding of your outgoing email ecosystem. It helps in tracking your Email Service Providers (ESPs) by IP addresses and in addressing any issues with SPF and/or DKIM.

While DMARC Failure reports can be helpful in identifying specific emails or users based on the “From” address, their limited support across ISPs means you may not receive comprehensive data.