Help

What does the general DMARC work flow look like?

A sending mail server signs an e-mail with a private key to create a DKIM signature, which is added to the e-mail header. The receiving mail server verifies this signature and whether the sender IP address matches the SPF entry of the "envelope from" or "helo" domain. Allowed public key (DKIM) and IP addresses (SPF) are available via DNS. The raw SPF and DKIM results are then checked for alignment with the "mail from" header of the e-mail. DMARC evaluation fails, if none of the two results pass and align. Based on the DMARC evaluation result and the DMARC policy published in the sender domain's DNS, a policy is applied. The applied policy is called disposition and can be one of none, i.e. the sending domain owner requests no specific action, quarantine, i.e. "place into spam folder", "scrutinize with additional intensity", and/or "flag as suspicious", or reject, i.e. reject the e-mail. If DMARC evaluation passes or the sending domain owner has requested a none policy, the mail is passed on to post acceptance tests and eventually delivered to the mailbox. If requested by the mail sender domain, the receiving mail server has to immediately send a failure report in case of disposition quarantine or reject. If requested by the mail sender domain, the receiving mail server has to temporarily store the DMARC evaluation results in order to later send an aggregate report. Aggregate reports contain all DMARC evaluation results for the corresponding domain and aggregation interval, typically a day.

How does <dmarc/> viewer work?

What kind of reports can I analyze?

This tool lets you visually analyze DMARC aggregate reports. The tool differs between incoming and outgoing reports. Incoming reports are reports that you receive from foreign domains based on e-mail messages the reporter received purportedly from you. Outgoing reports on the other hand are reports that you send to foreign domains based on e-mail messages that you received purportedly from them. To analyze reports you need to import your reports using the provided parsing management command. Since DMARC itself does not distinguish between incoming and outgoing reports, you should to tell the parser which type of reports your are importing. This makes analyzing your reports easier.

What is on the Overview page?

The Overview page shows general information about all incoming and outgoing reports to give you an idea about what is stored in your database. For both report types it shows the date ranges for which you have reports stored. These dates are based on the date range attribute of reports and can be faulty. Additionally, it shows you the total amount of report receiver domains, reports and messages for incoming and outgoing reports and lets you compare aligned DKIM, aligned SPF and evaluated DMARC disposition for all messages of both report types.

Where can I get detailed analysis views?

The Deep Analysis page is the heart of the tool. Currently three analysis types are supported. A map, showing where messages came from, a time line chart, showing when messages came, and a table, giving you details about the DMARC reports. You can fully control what data is displayed by creating and configuring analysis views using a View Editor.

How can I manage my views?

On the View Management page you can create, edit, clone, delete and sort the views for your Deep Analysis page.

How exactly do I create or edit a view?

You can open the View Editor via the View Management page by creating or editing an existing view. There you can define what data should be seen in a view. Each view has to be given a title and a description, so that you immediately understand what you are looking at when you check out your views on the Deep Analysis page. You can also control if the view is displayed in the Deep Analysis sidebar at all or enable and disable individual analysis types, i.e. map, line chart, table. Views display either incoming or outgoing reports for a given time range. By creating filter sets you can define filters for all attributes found in DMARC reports. You need to create at least one filter set to display any data. Creating multiple filter sets is especially useful, if you want to compare multiple aspects of your report data.