Viewing Reports
MailShield automatically processes DMARC and TLS-RPT reports, providing actionable insights about your email authentication.
DMARC Reports
Aggregate Reports (RUA)
Aggregate reports are daily summaries sent by email receivers (Google, Microsoft, Yahoo, etc.) that show:
- Source IPs: Which servers sent email as your domain
- Volume: How many emails from each source
- Authentication results: SPF and DKIM pass/fail rates
- Policy applied: What action was taken (none, quarantine, reject)
Viewing Aggregate Reports
- Navigate to Domain → Reports → DMARC
- See a list of received reports with:
- Reporter (e.g., google.com, outlook.com)
- Date range covered
- Total message count
- Pass rate percentage
Report Details
Click on any report to see:
Summary Statistics
- Total messages
- SPF pass rate
- DKIM pass rate
- DMARC pass rate
Source Breakdown
- IP addresses sending as your domain
- Geolocation of senders
- Authentication results per source
- Identified services (e.g., Google Workspace, SendGrid)
Authentication Failures
- Which emails failed authentication
- Why they failed (SPF alignment, DKIM signature, etc.)
- Source IPs of failures
Forensic Reports (RUF)
Forensic reports provide details about individual authentication failures:
- Email headers of failed messages
- Specific failure reasons
- Source and destination information
Privacy Note
Many email providers no longer send forensic reports due to privacy concerns. Aggregate reports are the primary source of DMARC data.
TLS-RPT Reports
TLS-RPT reports show statistics about TLS connections to your mail servers:
Report Contents
- Successful connections: TLS handshakes completed
- Failed connections: Connection attempts that failed
- Failure reasons: Certificate errors, protocol issues, etc.
- Policy mode: Whether MTA-STS was in testing or enforce mode
Viewing TLS Reports
- Navigate to Domain → Reports → TLS
- See reports organized by date and reporter
- Click to view detailed failure analysis
Understanding Authentication Results
Pass vs. Fail
| Result | Meaning |
|---|---|
| Pass | Email passed authentication and came from an authorized source |
| Fail | Email failed authentication - could be spoofing or misconfiguration |
| None | No policy applied (DMARC p=none) |
Alignment
DMARC requires alignment between:
- SPF alignment: The envelope
MAIL FROMdomain matches theFromheader - DKIM alignment: The DKIM
d=domain matches theFromheader
Alignment can be:
- Strict (s): Exact domain match required
- Relaxed (r): Subdomains allowed
Identifying Issues
Legitimate Failures
Not all failures are attacks. Common legitimate failures:
Third-party senders not in your SPF record
- Solution: Add them to SPF or configure DKIM signing
Forwarded emails breaking SPF
- Solution: Rely on DKIM for forwarded messages
Misconfigured services
- Solution: Update SPF/DKIM for the service
Potential Attacks
Signs of spoofing attempts:
- High volume from unknown IPs
- Failures from suspicious geolocations
- IPs not associated with known services
- Patterns suggesting spam campaigns
Report Timeline
Reports typically arrive:
- DMARC Aggregate: Daily, covering the previous 24 hours
- TLS-RPT: Daily or weekly, depending on the reporter
TIP
It may take 24-48 hours after configuring reporting to receive your first reports.
Filtering and Search
Filter reports by:
- Date range
- Reporter organization
- Pass/fail status
- Source IP or domain
Exporting Data
Export report data for:
- Compliance documentation
- Security analysis
- Historical records
Available formats: CSV, JSON