Report Processing

MailShield automatically receives and processes email security reports, providing actionable insights about your email authentication.

Supported Report Types

DMARC Aggregate Reports (RUA)

Daily summaries sent by email receivers showing authentication results for emails claiming to be from your domain.

Report contents:

• Reporting organization (Google, Microsoft, Yahoo, etc.)
• Date range covered
• Your domain's published policy
• Source IPs that sent email
• Authentication results (SPF, DKIM, DMARC)
• Policy actions taken

Format: XML (often compressed as gzip or zip)

DMARC Forensic Reports (RUF)

Detailed reports about individual authentication failures.

Report contents:

• Full email headers
• Authentication failure details
• Source information
• Failure reasons

Format: AFRF (Authentication Failure Reporting Format)

INFO

Many email providers no longer send forensic reports due to privacy concerns. Aggregate reports are the primary data source.

TLS-RPT Reports

Statistics about TLS connections to your mail servers.

Report contents:

• Reporting organization
• Date range
• Policy mode (testing/enforce)
• Successful connections
• Failed connections with reasons
• Failure categories

Format: JSON

How Reports Are Received

Setting Up Reporting

1. Get your Report ID from Domain Settings in MailShield
2. Update your DMARC record to include MailShield's reporting address:

v=DMARC1; p=quarantine; rua=mailto:YOUR-ID@reports.mailshield.app

3. For TLS-RPT, add:

_smtp._tls.example.com.  TXT  "v=TLSRPTv1; rua=mailto:YOUR-ID@reports.mailshield.app"

Report Delivery

Email providers send reports:

• DMARC Aggregate: Daily (covering previous 24 hours)
• TLS-RPT: Daily or weekly

First reports typically arrive within 24-48 hours of configuration.

Report Processing Pipeline

Email received
    ↓
Extract attachment (gzip/zip)
    ↓
Parse XML/JSON content
    ↓
Validate and normalize data
    ↓
Store in database
    ↓
Extract DKIM selectors
    ↓
Update statistics
    ↓
Generate alerts (if needed)

Automatic DKIM Discovery

MailShield automatically discovers DKIM selectors from DMARC reports:

1. Reports include DKIM authentication results
2. Each result contains the selector and signing domain
3. MailShield extracts new selector/domain pairs
4. Adds them to your monitored selectors
5. Begins checking those selectors

This means you don't need to manually add every DKIM selector—they're discovered automatically as reports arrive.

Report Analysis

Authentication Summary

For each domain, MailShield calculates:

Metric	Description
Total Messages	Emails sent as your domain
SPF Pass Rate	Percentage passing SPF
DKIM Pass Rate	Percentage passing DKIM
DMARC Pass Rate	Percentage passing DMARC

Source Analysis

Identify who's sending email as your domain:

• IP addresses of sending servers
• Geolocation of sources
• Provider identification (Google, Microsoft, etc.)
• Authorization status (in SPF or not)

Failure Analysis

Understand why emails fail:

• SPF failures: Unauthorized senders, forwarding issues
• DKIM failures: Missing signatures, invalid keys
• Alignment failures: Domain mismatches

Report Alerts

MailShield can alert you when:

High Failure Rate

When more than 20% of emails fail DMARC authentication:

• May indicate a spoofing attack
• Could be a misconfiguration
• Warrants immediate investigation

New Reports

Optional notification when new reports arrive:

• Useful for monitoring
• Can be disabled to reduce noise

Report Storage

Reports are stored securely:

• Aggregate reports: Full report data retained
• Individual records: Parsed and indexed for analysis
• Historical access: View past reports anytime

Viewing Reports

Report List

Navigate to Domain → Reports to see:

• List of received reports
• Reporter organization
• Date range
• Message count
• Pass rate

Report Details

Click any report to see:

• Full authentication statistics
• Source IP breakdown
• Failure details
• Raw report data

Filtering

Filter reports by:

• Date range
• Reporter organization
• Authentication result
• Source IP

Troubleshooting

No Reports Received

1. Verify DMARC record includes correct rua address
2. Check Report ID matches your domain's ID in MailShield
3. Wait 24-48 hours for first reports
4. Verify DNS propagation of your DMARC record

Incomplete Data

Some reporters may:

• Not include all data fields
• Aggregate data differently
• Use varying report frequencies

Report Processing Errors

If a report fails to process:

• Invalid XML/JSON format
• Unsupported compression
• Malformed data

Failed reports are logged for investigation.