Why do I receive a DMARC report everyday?

IvanS picture IvanS · May 20, 2015 · Viewed 49.8k times · Source

I've setup DMARC policy on my domain. But every day I recieve an XML report from Google.

I don't understand what the problem is?

The report is:

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>[email protected]</email>
    <extra_contact_info>http://support.google.com/a/bin/answer.py?answer=2466580</extra_contact_info>
    <report_id>7241837801886321635</report_id>
    <date_range>
      <begin>1431388800</begin>
      <end>1431475199</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>rigweb.ru</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>none</p>
    <sp>none</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>144.76.154.188</source_ip>
      <count>2</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>site.ru</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>rigweb.ru</domain>
        <result>pass</result>
      </dkim>
      <spf>
        <domain>site.ru</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
</feedback>

My DMARC Policy:

v=DMARC1; sp=none; aspf=r; p=none; rua=mailto: [email protected]

How can I solve the problem?

Answer

Pierre Prinetti picture Pierre Prinetti · May 23, 2015

In short: it's all good.

Here's the explanation for this:

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is in fact a ruleset made for reporting back to you on the quality of the email messages received from your domain.

You are receiving those XML reports because it's what you asked with the rua=mailto:[email protected]; part of your dmarc TXT record. Note you didn't set any processing rule for failing messages: p=none means you only want to see the results of the checks.

As you can read in the specification (RFC 7489), RUA stands for "Reporting URI of Aggregate reports". Using it you are telling every DMARC-compliant recipient server to send you a (daily) aggregate report for the emails it receives by you or sent on your behalf.

Have a look at dmarc.org where you can find a nice overview of the system.

What does this specific report from Google tells you?

<date_range> This is the time range this report refers to (in your case, may 12 - may 13)
<policy_published> It's the parsed content of the dmarc record Google found in your DNS zone
<source_ip> The IP the emails were sent from
<policy_evaluated> The result of the DKIM and SPF checks are good (the two messages passed both tests).

Meaning:

The two messages sent by an email address @yoursite.ru and received by Google mail servers between may12 and may13 were correctly signed (DKIM) and were sent from authorized IPs (SPF). Based on this, we can reasonably say that Google has only received legitimate messages from your domain.