Jul 16

Published a DMARC record but haven't received any XML Reports?

A common problem many people face when implementing DMARC for the first time is that they are not receiving aggregate XML reports (reports generated for delivery to the rua= tag) in their dmarcian account. These XML reports are the driving force of DMARC. Without them, it's very difficult to get an accurate picture of your domain's usage across the internet.

If you've created a dmarcian account, have published records but have not received data, don't fret! It is typically caused by one (or more) of these three things: Read the rest of this entry »

Jul 16

dmarcian tools are under constant development to make DMARC deployment faster and easier for everyone. This article describes how to best use the tools today. Read the rest of this entry »

May 16

How to use Domain Groups

Domain Groups allow dmarcian users to easily group together and manage related domains.  Domain Groups are created using the Mission Control interface.  Domain Groups are typically used to group together domains by: Read the rest of this entry »

Oct 15

Meaning of "No DMARC reports received yet which confirm DKIM signing"

Users sometimes ask What does "No DMARC reports received yet which confirm DKIM signing" mean?

dmarcian uses DMARC-XML data to detect the presence of DKIM signatures.  There is no straight-forward way to query the internet for the presence of DKIM signatures, and so dmarcian relies on the contents of DMARC-XML reports to provide information on DKIM signatures.

Given the above, there are 4 reasons why you might see this message:

  1. DKIM hasn't been implemented with the domain's source(s) of email.
  2. DKIM hasn't been fully implemented.  For example, Google Apps for Work requires a verification step before DKIM signing is fully enabled for a domain.
  3. dmarcian has not yet received a DMARC report containing DKIM information.  Either no reports have been received for the domain, or reports may have been received only with regard to non-DKIM-verified email (ie, spam, abuse, or legitimate email that hasn't yet been DKIM signed).
  4. DMARC-XML data doesn't contain relevant DKIM signatures for the particular domain.

Regarding #1, you'll need to setup DKIM by allowing the source of email to on behalf of your domain.  How this is implemented differs based on the capabilities of the email source.  For example, Google Apps for Work requires you to copy a DKIM TXT record into your domain's hosting/DNS provider.  In some cases (eg. GoDaddy) you will also need to click an additional "Save changes" button in order to confirm the new TXT record.

Regarding #2, after updating the hosting/DNS provider, make sure the source of email has accepted the changes (eg with Google Apps for Work, you'll need to click "Start Authentication").

Regarding #3, you will need to send at least one email from the domain to a DMARC-compliant receiver in order to ensure that a DMARC report will be generated.  The generated report will contain DKIM verification data. A few of the most common DMARC-compliant receivers are Gmail, Yahoo, Microsoft, and AOL; sending an email to any legitimate email address provided by any of those will suffice. (The actual email recipient and the contents of the email are not important.)

Regarding #4, if the email domain under question is "EXAMPLE.ORG" and you're signing this domain with DKIM signatures of a different domain (eg "SAMPLE.NET"), dmarcian.com will emit the "No DMARC reports received yet which confirm DKIM signing" message.  This is because there is no relation between EXAMPLE.ORG and SAMPLE.NET.   So, although your email might be signed, the domain used in the signatures might not match your DMARC domain.