Yes, DMARC reports provide detailed information on all emails claiming to be from your domain, and this includes emails that pass authentication checks as well as those that fail. It's a common misunderstanding that DMARC is only concerned with failures. The reality is that the reporting function is designed to give you a complete overview of your email traffic.
This comprehensive reporting is one of the most powerful features of the DMARC protocol. It allows domain owners to see not only who is attempting to spoof their domain but also to verify that all their legitimate email sources are configured correctly and authenticating properly.
Understanding the 'R' in DMARC
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. The 'Reporting' part is fundamental to how it works. These reports are the mechanism that provides domain owners with the visibility they need to secure their email.
By analyzing these reports, you can see which emails are passing authentication and which are failing. As DuoCircle explains, the process involves looking at authentication results to understand why messages pass or fail. This data is critical for identifying all the services that send email on your behalf, from your primary email marketing platform to a small CRM that sends occasional notifications.
Aggregate vs. forensic reports
DMARC provides two types of reports, and it's important to understand the difference between them, as this is where some of the confusion about reporting on passed emails comes from.
- Aggregate (RUA) Reports: These are XML reports sent periodically (usually daily) to the address specified in the 'rua' tag of your DMARC record. They contain high-level data about all the emails received by that provider claiming to be from your domain. This includes the sending IP address, the number of messages, SPF and DKIM results, and the overall DMARC disposition (pass or fail). These reports are the primary source for data on successfully authenticated emails.
- Forensic (RUF) Reports: These reports, if enabled via the 'ruf' tag, contain detailed information about individual emails that fail DMARC authentication. As eSecurity Planet notes, they provide copies of messages that fail, which can be useful for diagnostics. However, they only contain failure information and are not sent by all receivers due to privacy concerns.
So, while Forensic reports only cover failures, the essential Aggregate reports give you a full accounting of both passes and failures.
Why reporting on passed emails is critical
Seeing which emails pass DMARC checks isn't just a vanity metric; it is essential for a successful DMARC implementation. Here’s why:
- Validating Legitimate Senders: When you onboard a new email service provider or system, you must confirm its emails are authenticating correctly. Aggregate reports showing DMARC passes from that service's IP addresses are the definitive proof that your SPF and DKIM records are set up properly.
- Safely Moving to Enforcement: You should never move to a DMARC policy of p=quarantine or p=reject until you are confident that all your legitimate mail streams are passing DMARC. Monitoring the passing traffic in your reports gives you this confidence, preventing you from accidentally blocking your own important emails.
- Maintaining Deliverability: Configurations can change. A provider might alter its sending infrastructure, or an internal team might start using a new service without informing you. A sudden drop in passing emails from a known source, or the appearance of a new failing one, signals a problem you need to address to protect your deliverability.
Conclusion
In short, DMARC absolutely reports on emails that pass authentication. This feature is delivered through Aggregate (RUA) reports and is a cornerstone of the protocol. Without visibility into what’s working correctly, you cannot effectively identify and stop what isn’t. Monitoring both passing and failing authentication results is the only way to gain a complete understanding of your email program and confidently move to a strict enforcement policy that protects your domain from phishing and spoofing.
