DMARC Monitoring
Comprehensive DMARC report parsing, visualization, and analysis.
DMARC Monitoring
MailSentinel automatically processes and analyzes DMARC aggregate reports, giving you actionable insights into your email authentication.
How It Works
1. Report Collection
When you configure your DMARC record to send reports to MailSentinel:
rua=mailto:your-org@reports.mailsentinel.ioWe receive aggregate reports from major email providers including:
- Google (Gmail, Google Workspace)
- Microsoft (Outlook, Office 365)
- Yahoo
- Apple
- And thousands of other providers
2. Automatic Parsing
DMARC reports arrive in XML format. MailSentinel:
- Parses the XML automatically
- Extracts key metrics
- Stores data for analysis
- Triggers alerts if needed
3. Visualization
View your data through intuitive dashboards:
- Pass/fail rates over time
- Source IP analysis
- Geographic distribution
- Trend analysis
Dashboard Overview
Authentication Summary
The main dashboard shows your overall authentication health:
| Metric | Description |
|---|---|
| Pass Rate | Percentage of emails passing DMARC |
| Total Volume | Number of emails reported |
| Unique Sources | Distinct IPs sending as your domain |
| Failures | Emails failing authentication |
Source Analysis
Identify all services sending email on your behalf:
- Authorized Sources - Legitimate senders you've configured
- Unknown Sources - Sources requiring investigation
- Malicious Sources - Potential spoofing attempts
Failure Breakdown
Understand why emails are failing:
- SPF Failures - SPF check failed or not aligned
- DKIM Failures - DKIM signature invalid or missing
- Alignment Failures - Domain mismatch issues
Key Features
Real-Time Processing
Reports are processed as they arrive, typically within minutes.
Historical Analysis
View trends over:
- Last 7 days
- Last 30 days
- Last 90 days
- Custom date ranges
Export Capabilities
Export data in multiple formats:
- CSV for spreadsheets
- JSON for integrations
- PDF for reports
Smart Recommendations
Based on your data, MailSentinel provides:
- Configuration suggestions
- Policy progression guidance
- Issue remediation steps
Understanding Your Data
Pass vs. Fail
An email passes DMARC when:
- SPF passes AND aligns with the From domain, OR
- DKIM passes AND aligns with the From domain
An email fails DMARC when neither condition is met.
Alignment Modes
| Mode | Description | Use Case |
|---|---|---|
| Relaxed | Subdomains allowed | Most scenarios |
| Strict | Exact match required | High security |
Volume Analysis
High volumes from unknown sources indicate:
- Forgotten services sending email
- Potential spoofing attacks
- Misconfigured forwarding
Best Practices
1. Review Reports Weekly
Regular review helps you:
- Catch issues early
- Track improvement
- Plan policy changes
2. Investigate Unknown Sources
For each unknown source:
- Check if it's a legitimate service
- Configure SPF/DKIM if legitimate
- Monitor if suspicious
3. Track Trends
Watch for:
- Sudden volume spikes
- New failure patterns
- Geographic anomalies
Understanding DMARC Reports
Report Frequency
DMARC aggregate reports are typically sent:
- Daily - Most providers send once per day
- Within 24-48 hours - After publishing DMARC record
- Ongoing - Reports continue as long as DMARC record exists
Report Providers
Major email providers that send DMARC reports:
- Google (Gmail, Google Workspace)
- Microsoft (Outlook, Office 365, Hotmail)
- Yahoo (Yahoo Mail, AOL)
- Apple (iCloud Mail)
- Comcast, Verizon, AT&T
- And thousands of other providers worldwide
Report Contents
Each aggregate report includes:
- Date range - Period covered by report
- Source IPs - IP addresses sending as your domain
- Message counts - Emails sent from each source
- SPF results - Pass/fail for each source
- DKIM results - Pass/fail for each source
- DMARC results - Overall pass/fail
- Disposition - What happened (none/quarantine/reject)
Advanced Features
Source Identification
MailSentinel automatically identifies sending sources:
- Known sources - Services you've configured (Google, SendGrid, etc.)
- Unknown sources - Requiring investigation
- Suspicious sources - Potential spoofing attempts
Geographic Analysis
View email volume by location:
- Identify unusual geographic patterns
- Detect potential attacks from specific regions
- Understand your global email distribution
Trend Analysis
Track changes over time:
- Pass rate trends
- Volume changes
- New sending sources
- Policy effectiveness
Best Practices
1. Start with Monitoring
Begin with p=none policy:
- Monitor for 2-4 weeks
- Identify all sending sources
- Fix authentication issues
- Then move to enforcement
2. Regular Review
Review reports weekly:
- Check pass rates
- Investigate failures
- Identify new sources
- Track improvements
3. Progressive Enforcement
Move to enforcement gradually:
p=none→p=quarantine; pct=10→p=quarantine; pct=50→p=quarantine→p=reject
4. Investigate Failures
For each failure:
- Identify the source
- Determine if legitimate
- Fix authentication if needed
- Monitor after fixes
Next Steps
- Configure Alerts - Get notified about issues
- SPF Configuration - Improve pass rates
- DKIM Setup - Add signature verification
- Email Delivery Troubleshooting - Fix delivery issues
- Google Workspace Setup - Complete Google setup
- Microsoft 365 Setup - Complete Microsoft setup