8

For about 5 days now, i have been successfully receiving several DMARC RUA (aggregate reports) reports from a few ISPs, however i have yet to receive a single RUF message/forensic email, even though the RUA reports do show a few failures. As i only set this up ~6 days ago, no action is being taken (p=none;) , for now.

We did setup SPF , and then DKIM , and finally a day or 2 later, DMARC. I have used 3rd party tools to confirm all 3x are working / no errors.

here is my domain's _dmarc txt record (as retrieved by a 3rd party dns txt lookup tool, to confirm)

lookup: _dmarc.domain1.com (60 min)

result: v=DMARC1; p=none; rua=mailto:adminpostmaster@domain1.com; ruf=mailto:emailsec@domain1.com

(i have changed real domain to "domain1.com" , and have verified that there are no typos).

the RUF emailsec@domain1.com is a new, separate email account (using gsuite paid/pro, which is same as all the domain1.com email accounts). I have verified that nothing is in the SPAM folder, and that the emailsec@domain1.com account is working/can receive email from outside domains).

Any ideas? i was thinking im not getting any RUF emails as im using p=none; (and not p=quarantine or p=reject , yet), however i see others questions on here where ppl are using p=none; and are getting ruf emails.

thanks

James Gaul
  • 83
  • 1
  • 3
  • Just to echo that I could have asked this question myself, almost word for word, here 2 months later in March 2019. google.com's rua has reported a threat, it shows as being from misp.co.uk which is legitimate, but I have no other data to go on. – Robinhrvatska Mar 29 '19 at 09:45
  • 3
    @Robinhrvatska RUA reports don't show threats, exactly. For any reason, an email sent from A to B (sometimes ending up at C) can fail authentication, which is reported in the RUA. The report will highlight on which technology authentication failed, including information about the sending IP, the Return-Path and DKIM domain used. This might give you clues for where to look for answers. A lot of times forwarding is involved. Sometimes misconfigurations, time-outs or something else. Indeed a RUF report might contain more actionable data. – Reinto Apr 18 '19 at 15:19

1 Answers1

9

As mentioned in the comments by @anx, hardly any mailbox hosting service ever sends forensic/failure reports anymore. And for good reason. There are several quality DMARC report visualization services out there that have blogged about the absence of and the reason why, for example: Dmarcian and Valimail.

The Dmarcian blog dates from late 2015, and back then already most email hosting platforms did no longer send forensic/failure reports. My advice would be to ignore this piece of the DMARC pie.

Reinto
  • 649
  • 4
  • 9