Using the Senders Page
The Senders page lets you view specific mail sources that have sent mail on behalf of your domain and drill down into the details of DMARC RUA report records received about those sources.
It is accessed from the Dashboard by selecting View Senders, which is visible once we have received reports for a domain.
Senders Page Columns
The Senders page has the following columns:
- Sending Server: The IP address or hostname of the sending source.
- We show friendly names for popular mail sources, such as
Microsoft,Google,SendGrid,Amazon SES, etc. Some services send from multiple different TLDs so you may see multiple entries for the same service. - To determine the mail sender, we do a reverse DNS lookup on the IP in the report record. If there's no reverse DNS lookup result, then it will show as
NoDomainLookupand the IP address is available on theView Detailpage. No legitimate mail sources would not have a reverse DNS record. - If you don't see a friendly name for a popular mail source, please let us know at feedback@verifydmarc.com.
- We show friendly names for popular mail sources, such as
- Total Count: The total number of messages that we have received DMARC RUA reports for from this source.
- Compliant: The percentage of messages that are passing DMARC from this source. This means they passed either DKIM or SPF checks (or both).
- DKIM Align: The percentage of reported email from the domain that had a valid DKIM signature which aligned with the 'Header From' domain.
- SPF Align: The percentage of messages that have passed valid SPF authentication and aligned Envelope From and Header From domains.
- Detail: Click the icon to see the details of individual DMARC RUA reports for this source.
Sender Detail Page Columns
The Senders Detail page has the following columns:
- Sending Server Hostname: The IP address or hostname of the sending source.
- Count: The total number of messages the DMARC RUA record is reporting on.
- Some records are for a single email, others aggregate multiple messages into a single record.
- Disposition: The DMARC disposition of the message(s) in the record.
None: The message had no action taken by the receiver either because the message was compliant, or because your DMARC policy is set tonone.Quarantine: The message was quarantined by the receiver.Reject: The message was rejected by the receiver.
- Compliant: Whether the message(s) in the record were DMARC compliant. This means they passed either DKIM or SPF checks (or both).
- DKIM Align: Whether the message(s) in the record were sent with a valid DKIM signature and aligned with the Header From domain.
- SPF Align: Whether the message(s) in the record were sent with a valid SPF authentication and aligned Envelope From and Header From domains.
- Header From: The
Header Fromaddress of the message(s) in the record.- This is the domain that a user sees in their email client.
- Envelope From: The
Envelope Fromaddress of the message(s) in the record.- This is the domain that the receiving mail server sees when it receives the message. It is also the domain that is used for SPF authentication. Only some records have this level of detail.
- Envelope To: The
Envelope Toaddress of the message(s) in the record.- This is the domain that the message was sent to. Only some records have this level of detail.
- Report Date: The date that the DMARC RUA report was received by us.
- Detail: A link to Auth Results, this displays underlying SPF and DKIM results (before DMARC alignment checks). See Authentication Results for more information.
Authentication Results
The Authentication Results modal provides a detailed view of the underlying SPF and DKIM results for the message(s) in the record. This is useful for diagnosing issues with SPF and DKIM. The results are shown before DMARC alignment checks are performed. We display an Alignment Note for each pass result here to highlight if it is likely to be considered DMARC aligned.
DMARC requires that the domain of the Envelope From (for SPF), and the domain of the signature (for DKIM) are aligned. This means that both domains must be the same, or a subdomain (in default DMARC relaxed mode). If the domains are not aligned, then the SPF or DKIM result is not considered valid in the context of DMARC.
- Header From: The
Header Fromaddress of the message(s) in the record.
The SPF Result section fields are:
-
SPF Alignment Mode: This will be
Relaxed(default and usually recommended) orStrict. If the alignment is inStrictmode then theDomainmust exactly match theHeader From, otherwise inRelaxedmode theDomainmay be a subdomain ofHeader From. If the alignment mode was not reported then we assume relaxed when displaying theAlignment Note. -
Domain: The domain that was in the 'Envelope From' of the message(s).
- Result: The result of the SPF check. This will be
pass,fail,softfail,neutral,none,temperror, orpermerror. - Scope: The scope of the SPF check. This will be
mfrom(mail from) orhelo(HELO/EHLO domain). - Alignment Note: Displayed for a 'pass' result only. If the mode is
Relaxedit will beAlignsorDoes not align. If the mode isStrictit will beStrictly alignsorDoes not strictly align.
The DKIM Result section fields are:
-
DKIM Alignment Mode: This will be
Relaxed(default and usually recommended) orStrict. If the alignment is inStrictmode then theDomainmust exactly match theHeader From, otherwise inRelaxedmode theDomainmay be a subdomain ofHeader From. If the alignment mode was not reported then we assume relaxed when displaying theAlignment Note. -
Domain: The domain that was in the DKIM signature.
- Result: The result of the DKIM signature validity check. This will be
pass,fail,temperror, orpermerror. - Selector: The DKIM selector that was used to sign the message.
- Alignment Note: Displayed for a 'pass' result only. If the mode is
Relaxedit will beAlignsorDoes not align. If the mode isStrictit will beStrictly alignsorDoes not strictly align.
Note that a message can have multiple DKIM signatures, and only one of them needs to be valid with an aligned domain considered DMARC compliant.
Senders Page Workflow and Usage
The Senders page is designed so you can quickly find non-compliant sources of email as well as authorised but poorly configured sources of email. It is important to stress in this context that mail senders only need to pass DKIM or SPF checks for mail to be DMARC compliant. Do not delay moving to an enforcement (p=quarantine or p=reject) policy while you try to get a mail source to pass both DKIM and SPF DMARC checks.
In saying that, passing DKIM checks is better than SPF as it survives forwarding and will make your reporting simpler to interpret. There are some instances where SPF is not possible to setup for a mail sender (usually when it's not possible to have the Envelope From and Header From domains aligned), and that is OK if you have DKIM setup properly.
Here's a typical workflow:
- Check sources with low DMARC compliance: Look down the page for senders that have a low
Compliant %.- Recognised Sources: If you recognise the sending source, then you should check whether it is configured with DKIM and is included in your SPF record AND the domains are aligned (for SPF). This may involve checking the sending source's documentation or contacting their support team.
- Unrecognised Sources: If you don't recognise the sending source, then you should investigate further to see if it may be an authorised source of email. Depending on the size and structure of your organisation, this may involve contacting other teams or departments to see if they are using the sending source. You can use the
View Detaillink to see additional detail to help identify the source and where it is sending emails to. - Unauthorised Sources: If you are confident that a source is not authorised, then this is what DMARC is for! Once you set your DMARC policy to
quarantineorrejectyou will be instructing recipient mail servers to treat this mail as unauthorised. - Authorised but Misconfigured Sources: If you address authorised but poorly configured sources of email, you should see an increase in your
Compliant %level over time. It will not happen immediately, as it takes time for more reports to come into VerifyDMARC. Step up the frequency of accessing the VerifyDMARC dashboard to ensure that yourCompliant %level is increasing and view it on a smaller time scale, like 2 days.Sender Detailshows the latest records first, so you should see your changes reflected there.
- Check sources not using DKIM: Look down the page for senders that have a low
DKIM %.- DMARC Compliant Sources: If the sending source is otherwise compliant, then you should check whether it is configured with DKIM. This may involve checking the sending source's documentation or contacting their support team. DKIM is a strong indicator of the authenticity of the message, and enhances mail deliverability. DKIM also usually survives forwarding, so your DMARC reporting will be simpler to interpret.
- Last Resort: Sometimes you can't get a sending source to support DKIM or SPF alignment. In these cases if you want to achieve a high DMARC compliance level and make the journey to
rejectyou may need to consider getting the sending source to send email from a subdomain of your domain, and then set up a separate DMARC and record for that subdomain withp=none. See our Guidance page for more information.
- Check sources not using SPF: Look down the page for senders that have a low
SPF %.- DMARC Compliant Sources: If the sending source is otherwise compliant, then you should check whether it is included in your SPF record and the Envelope From (which is used to lookup the SPF record) and Header From domains are aligned. This may involve checking the sending source's documentation or contacting their support team.
- SPF pass and SPF aligned are not the same. SPF pass means that the message passed SPF authentication by originating from an IP addresses that is included in the SPF record. SPF aligned means that the
Envelope Fromdomain matches theHeader Fromdomain. SPF alignment is required in the context of DMARC for SPF to pass.
- SPF pass and SPF aligned are not the same. SPF pass means that the message passed SPF authentication by originating from an IP addresses that is included in the SPF record. SPF aligned means that the
- Last Resort: Sometimes you can't get a sending source to support DKIM or SPF alignment. In these cases if you want to achieve a high DMARC compliance level and make the journey to
rejectyou may need to consider getting the sending source to send email from a subdomain of your domain, and then set up a separate DMARC and record for that subdomain withp=none. See our Guidance page for more information.
- DMARC Compliant Sources: If the sending source is otherwise compliant, then you should check whether it is included in your SPF record and the Envelope From (which is used to lookup the SPF record) and Header From domains are aligned. This may involve checking the sending source's documentation or contacting their support team.