You might expect that the IT department or security team knows who’s sending email using your company’s domains. But for a variety of reasons these groups are often unaware of many legitimate senders — not to mention all the bad actors. Fortunately you can get a more complete view by using DMARC‘s reporting features.

How does it happen? Product teams managing a new product launch or customer survey hire marketing consultants and Email Service Providers (ESP). Affiliate programs or strategic partnerships lead to new domains or sub-domains being created. Employee benefit programs are outsourced, and the vendor wants to use a sending address in your domain. All too often these things are done quietly as part of a small project, without consulting anybody in another department or division.

And then there are all the bad actors using your domains without asking permission…

Many times the IT or security groups can see some of what’s happening because of the “backscatter.” These could be customer complaints sent to the company’s abuse mailbox, bounce notifications from forged messages, or incoming messages getting flagged by your company’s email filtering products. But frequently these indications are like an iceberg, and only show 10% of what’s actually going on. Fortunately you can use DMARC to uncover the other 90%.

This is what we did at one global financial institution. As we tracked down all the domains that we owned and published DMARC records for them, we were able to see all the sources of email using those domains: corporate gateways, subsidiaries and partner firms, ESPs. In fact in one case we were able to see that messages sent from one host at one ESP were failing to authenticate properly 5-10% of the time. That may not seem like a lot, but this host was sending around 100,000 messages per day, so those failures represented a lot of customers who weren’t getting important notifications about their accounts and transactions.

Then there were all the mailbox providers and university alumni programs that were receiving messages we sent to a customer at one address, and forwarding them on to a different destination. And the random news, image hosting and social media sites that were sending email using our domains in response to employee activity. Beyond these fairly benign uses, there were literally hundreds of thousands of random PCs sending spam and phishing messages that used our domains.

And now we could see them. Not only could we monitor our authorized vendors, we could quantify the unauthorized messages using our domains, and see what impact it would have if we published a DMARC policy that would block them. It does take a little work to make use of DMARC this way, and the reports only reflect messages received at 80+% of consumer mailboxes in the US, or 60+% worldwide. But that’s a night-and-day difference compared to what we could see before DMARC.

To start receiving DMARC reports you’ll have to publish a few DNS records for each domain. An email address and mailbox to receive the reports is necessary, as well as a program to process the XML files. But the report format is documented (see Appendix C) and there’s free software available to help you get started (see Code & Libraries). There are also a number of free and commercial services that will process reports for you, and most of those companies can be hired to provide assistance in all aspects of deploying DMARC if you choose (see Products & Services).

For links to tutorials, and a series of videos explaining DMARC provided by M³AAWG, see the listings at


Note: This essay was first posted on

Leave a Reply