8
Dec 15

People often configure their DMARC records and use the "RUF" tag to ask for Forensic/Failure reports.  However, they're often slow to arrive.  If you just added the RUF tag to your DMARC record, be aware that it might take up to 24 hours for your change to be picked up by the larger Internet.  If you're still not seeing Forensic reports, there are a few other things to note.

There are 3 primary reasons why report generators do not send them:

  1. Privacy concerns: Even though the reports can be redacted, some report generators do not send them simply to avoid any issue related to privacy.  That is, the individual Forensic/Failure reports can contain Personally Identifiable Information (PII), and some major email receivers are incredibly sensitive to any potential privacy-related issues.
  2. Volume: Generating Forensic/Failure reports can result in the generation of a huge amount of email... one inbound email can cause one Forensic/Failure report to be generated.  If a system is the target of a botnet-based attack, it might end up generating hundreds of thousands or even millions of Forensic/Failure reports.  This ends up utilizing real resources.
  3. Not Required: Organizations have demonstrated an ability to deploy DMARC without having access to Forensic/Failure reports.  In fact, some organizations do not even ask for Forensic/Failure reports due to privacy concerns..  if they're not enabled, there there is no chance of accidentally introducing privacy-based liability.

Today, Forensic/Failure reports mainly come from Microsoft, NetEase, LinkedIn, and a few smaller sites.  Therefore, if someone spoofs your domain in emails that are delivered to any of these receivers, you'll get Forensic/Failure reports.  If the spoofing is flowing into Google or Yahoo, you won't get any insight from Forensic/Failure reports as Google & Yahoo do not generate them.

There is talk of creating a form of Forensic/Failure report that is less prone to privacy concerns.  However, security companies want less redaction so that they'll have more data to power their solutions, whereas DMARC deployers can get their work done without Forensic/Failure reports.... therefore the work creating privacy-sensitive Forensic/Failure reports hasn't moved beyond just talk.

One Response for "Where are the Forensic/Failure reports?"

  1. Francois says:

    Maybe the DMARC standard should be improved to allow DMARC publishers to specify a rate at which failure reports are allowed to be received. That would address the DOS case. As for privacy, maybe the body of the e-mail should not be included. IETF moves at a glacial pace, so I'm not sure we would see any such improvements in the short term.

    I've seen some failure report that redact the sender's e-mail address, but I don't see how that adds to the privacy and only makes things more difficult to troubleshoot.