What does the general DMARC work flow look like?
A sending mail server signs an e-mail with a private key to create
a DKIM signature, which is added to the e-mail
header. The receiving mail server verifies this signature and
whether the sender IP address matches the SPF
entry of the "envelope from" or "helo" domain.
Allowed public key (DKIM) and IP addresses (SPF) are available via
DNS. The raw SPF and DKIM results are then checked
for alignment with the "mail from" header
of the e-mail. DMARC evaluation fails, if none of
the two results pass and align. Based on the DMARC evaluation
result and the DMARC policy published in the sender domain's DNS, a
policy is applied. The applied policy is called
disposition and can be one of
none, i.e. the sending domain owner requests no
specific action, quarantine, i.e. "place
into spam folder", "scrutinize with additional intensity", and/or
"flag as suspicious", or reject, i.e.
reject the e-mail. If DMARC evaluation passes or the sending
domain owner has requested a none policy, the mail is passed on to
post acceptance tests and eventually delivered to the mailbox. If
requested by the mail sender domain, the receiving mail server has
to immediately send a failure report in case of disposition
quarantine or reject. If requested by the mail sender domain, the
receiving mail server has to temporarily store the DMARC evaluation
results in order to later send an aggregate report. Aggregate
reports contain all DMARC evaluation results for the corresponding
domain and aggregation interval, typically a day.
How does <dmarc/> viewer work?
What kind of reports can I analyze?
This tool lets you visually analyze DMARC aggregate reports. The
tool differs between incoming and
outgoing reports. Incoming reports are reports
that you receive from foreign domains based on e-mail messages the
reporter received purportedly from you. Outgoing reports on the
other hand are reports that you send to foreign domains based on
e-mail messages that you received purportedly from them. To analyze
reports you need to import your reports using the provided
parsing management command. Since DMARC itself
does not distinguish between incoming and outgoing reports, you
should to tell the parser which type of reports your are importing.
This makes analyzing your reports easier.
What is on the Overview page?
The Overview page shows general information about
all incoming and outgoing reports to give you an idea about what is
stored in your database. For both report types it shows the date
ranges for which you have reports stored. These dates are based on
the date range attribute of reports and can be faulty.
Additionally, it shows you the total amount of report receiver
domains, reports and messages for incoming and outgoing reports and
lets you compare aligned DKIM, aligned SPF and evaluated DMARC
disposition for all messages of both report types.
Where can I get detailed analysis views?
The Deep Analysis page is the heart of the tool.
Currently three analysis types are supported. A
map, showing where messages came from, a
time line chart, showing when messages came, and a
table, giving you details about the DMARC reports.
You can fully control what data is displayed by creating and
configuring analysis views using a View Editor.
How can I manage my views?
On the View Management page you can create, edit,
clone, delete and sort the views for your Deep
How exactly do I create or edit a view?
You can open the View Editor via the View
Management page by creating or editing an existing view.
There you can define what data should be seen in a
view. Each view has to be given a title and a
description, so that you immediately understand what you are
looking at when you check out your views on the Deep
Analysis page. You can also control if the view is
displayed in the Deep Analysis sidebar at all or enable and disable
individual analysis types, i.e. map, line chart, table. Views
display either incoming or
outgoing reports for a given time range. By
creating filter sets you can define filters for
all attributes found in DMARC reports. You need to create at least
one filter set to display any data. Creating multiple filter sets
is especially useful, if you want to compare multiple aspects of
your report data.