DMARC failure reports (forensic reports) might seem like valuable data, but they’re a potential liability for your brand. While they promised real-time value, DMARC failure reports haven’t lived up to the hype—instead, they’ve opened up domain owners to subtle risks.
Below, we’ll walk you through everything you need to know about DMARC failure reports and their five major problems.
What are DMARC failure reports?
DMARC is a powerful tool that domain owners can use to protect their domains from abuse. At enforcement (a policy of “quarantine” or “reject”), it stops impersonation attacks, which are the most challenging type of phishing attacks to detect and block.
DMARC’s benefits go further than phishing prevention. With the right tools, DMARC allows domain owners to gain global visibility into all senders spoofing their domains and to exert centralized control over allowed SaaS services, which is a boon for IT teams everywhere.
When appropriately implemented, DMARC improves deliverability. Spammers can no longer damage a domain’s reputation by sending emails purporting to be from that domain.
That said, not all elements of DMARC are equally valuable. One component of DMARC, failure reports (sometimes called forensic reports), has been a part of the standard from the beginning.
But unlike aggregate reports—which provide aggregated summaries of email authentication activity and are useful—failure reports are riddled with problems, not the least of which is that they open organizations to potential liability around privacy issues.
When an email system receives a message that fails DMARC, it may send a failure report to the domain owner. Since receivers send failure reports in real-time, they can provide an immediate alert whenever a non-authenticating message is detected.
Sounds good, right?
And even more appealing, failure reports include details about the failing message that many domain owners would like to have:
- From address
- Subject line
- Part or all of the message content
On the face of it, DMARC failure reports seem like a valuable part of the standard. However, in practice, they haven’t worked out that way. Failure reports have failed to deliver real value to domain owners and opened them up to non-obvious risks in today’s increasingly privacy-focused world.
Five problems with DMARC fail reports
There are five major problems with DMARC failed reports:
- Distraction from enforcement
- High false positive rate
- Not generally actionable
- Potentially expose PII
- ISPs have dropped support for failure reports
Below, we’ll go into more detail about each of these problems.
1. Distraction from enforcement
When working with DMARC, the focus of any domain owner should be getting to enforcement. The primary purpose of DMARC is to protect the domain from abuse through policy enforcement.
But the “real-time alert” nature of DMARC failure reports confuses this notion.
Some people interpret the existence of failure reports as evidence that DMARC is intended primarily as an abuse-reporting mechanism. As a result, many IT professionals believe they are “done” when configuring a non-enforcement DMARC record (one with a policy of p=none) to send them reports.
Yes, they get reports (both failure reports and aggregate reports), but at p=none, these domains never get the real benefit of DMARC: protection through authentication.
2. High false positive rate
When sending large numbers of marketing messages daily, some small percentage will inevitably fail DMARC. Some of these messages fail because they are routed through forwarders that break their DKIM signatures, thus failing DMARC at their final destination.
But even if the failure percentage is low (0.1% or below), sending millions of messages daily amounts to thousands of failures. Wading through that noise is extremely challenging and time-consuming.
3. Not generally actionable
Assuming that IT staff are reacting to DMARC failure reports as they come in and can filter through many false positives to find the actual phishing messages, what do they do when they find one?
Most companies don’t have the time or resources to prosecute bad actors online. At best, IT staff members may be able to file reports with a hosting provider. Perhaps they’ll even get the hosting provider to shut down the offending server.
But in that case, how long do you think it will take the phisher to find a new home? Is this game of Whac-a-Mole even worth it?
Why bother when email authentication at enforcement protects you from this abuse entirely, without requiring any involvement from you?
4. Potentially expose PII
As a domain owner, it’s important to understand that you don’t control what’s included in the DMARC failure report—that’s up to the receiver. And if the report is a false positive (an email that failed DMARC but shouldn’t have), that can mean “real” information may be included in the failure report.
That makes the failure report an easy way to leak confidential corporate or customer information.
For example, imagine an email containing details about the new iPhone, a new CIO hire, or the sale of the company accidentally failing DMARC, then winding up as a failure report on some IT admin’s desktop.
With the online world’s increasing focus on privacy, so-called PII (personally identifiable information) needs to be handled with extreme care. The penalties for leaking this kind of information have grown substantially. Inadvertently leaking news of an impending product launch or layoff is no longer merely a business risk—these kinds of leaks can now lead to substantial fines.
With the European Union’s GDPR rules, each leak of customer PII can result in a 20 million euros or higher fine. DMARC failure reports do not bring enough value to be worth that sort of risk.
Valimail invested in the only privacy-safe option on the market. Valimail RUF+ gives you email insight that go beyond DMARC failure reports. These insights will help you identify sending service owners without ever risking PII data.
5. ISPs have dropped support for failure reports
We’re not the only ones who feel that DMARC failure reports bring little value and present many risks. Most ISPs have stopped providing DMARC failure reports because of concerns about PII leakage and general doubts about their actual value.
Hotmail is phasing out DMARC failure reports. Google, Oath (Yahoo/AOL), and virtually all other major ISPs do not send DMARC failure reports. Even those ISPs that once supported “private channel” arrangements—only sending failure reports to trusted vendors—have abandoned them because of PII concerns.
Even if you configure your DMARC record to accept failure reports, you’ll find that almost none of your failing messages generate them.
Forget about DMARC failure reports
Given the above, we believe that DMARC failure reports were a well-intentioned, but ultimately unsuccessful, part of the DMARC standard.
DMARC aggregate reports provide all the information that domain owners need to get their domains to enforcement, without the risks presented by DMARC failure reports.
Moving past DMARC failure reports would be a positive step for the ecosystem, and we encourage all participants to stop supporting and using them and instead focus on getting to enforcement.
Need help reaching DMARC enforcement? Want to learn more about Valimail RUF+? We got you covered.