How Exchange Online DMARC Aggregate Reports Change the Game

How Exchange Online DMARC Aggregate Reports Change the Game

Hi All,

Gain visibility with DMARC

In the current digital era, email has become a crucial component of both our personal and professional lives. However, with the sophistication of cyber threats rising, it is more important than ever to ensure the security and legitimacy of email communications.

This is where Domain-based Message Authentication, Reporting, and Conformance (DMARC) comes into play. The Mailservers of Recipients that support DMARC, provide feedback to domain owners about the use of their domains; this feedback can provide valuable insights about the use and abuse of your domains.

What is DMARC?

DMARC has been around since 2015 and was Invented by Yahoo. It is defined in rfc7489. It combines two existing email authentication protocols, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), to provide a comprehensive framework for validating email senders. Check your SPF, DKIM, DMARC Record here

Figure 1 Check DNS Records for your Domain

Sender Policy Framework (SPF)

Rcf4408, later replaced by rfc7208, allows domain owners to define the authorized mail servers that are permitted to send emails on their behalf. When an email is received, the recipient’s server can verify the SPF record of the sending domain to ensure it aligns with the authorized servers. SPF checks will be against Domain in the “Mail From” (Envelope). An SPF Record is a TXT Record and looks somewhat like this:

v=spf1 ip4: -all

Best Practices for SPF Records

  • Your Domain has an SPF Record
  • Includes and A Records in SPF Record don’t exceed 10 DNS Lookups
  • SPF Record have “-all” (hardfail) at the end
  • Use “v=spf1 -all” for Domain that are not used for Email

DomainKeys Identified Mail (DKIM)

DKIM uses cryptographic signatures to verify the integrity of email messages. The sender’s domain generates a unique digital signature for each outgoing email, and the recipient’s server can validate this signature to confirm that the email has not been tampered with during transit. In the Picture below, you can see a DKIM Header in a mail.

Figure 2 DKIM Header of an Email

To understand the different Tags, below is a Table that explains it in more detail.

Tag Explanation
v=1 DKIM Version
a=ras-sha256 algorithm used to generate the signature
c=relaxed/relaxed Header/Body Message canonicalization Sending Domain
s=selector1 Selector used for this Mail
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck Signed header fields
bh=hash The hash of the canonicalized body part
b=signature The signature data (Base64)
Table 1 DKIM Header Explanation

DKIM solves the Forwarding Problem from SPF, as the Signature stays in the Header. It will be still valid, as long the Fields specified with the “h=” Tag are not changed. Domain-based Message Authentication, Reporting, and Conformance (DMARC) DMARC builds upon SPF and DKIM by providing an additional layer of policy enforcement and reporting. This will create a feedback loop so you know who is using your Domains and you can adopt and fix your DNS Records. More Infos about DMARC Record and DMARC Policy can be found in the Article of Damian Scoles “Microsoft Brings Improvements to DMARC” To check SPF,DKIM and DMARC on Inbound Emails you can use the Messaging Header Analyzer and check the “Authentication-Results”, “Received-SPF” and “DKIM-Signature” Headers as in the Picture below (Figure 3).

Figure 3 Message Header Analyzer

DMARC Aggregate Report

The DMARC Aggregate Report will be sent to the Recipient (multiple recipients possible) defined in the “ruf” Tag. The Aggregate Report is a Mail with a *.zip or *.gz File Attached that contains an XML File. Below you can see how a DMARC Aggregate Report from Exchange Online.

Figure 4 DMARC Aggregate Report from Exchange Online

Here is an Example of such an XML File (figure 7) Exchange Online will report as “Enterprise Outlook”

Figure 5 DMARC Aggregate Report XML

DMARC Report

The XML File by itself won’t help you much, you will need a Software or a Service that will aggregate these XML Files. Most of such 3rd Party Services will cost based on domains and email volume.

Figure 6 DMARC 3rd Party Report Overview

The Aggregate Reports from Exchange Online will be reported as Enterprise Outlook.

There are many such services out there like:

DMARC Aggregate Reports In Office 365

Microsoft has announced to send DMARC aggregate reports for Exchange Online back in March.

Office 365 will send out DMARC aggregate reports to all sender domain owners that has a valid RUA address defined in their DMARC record. But there is a limitation: If MX record is pointed to a different email security solution in front of Office 365, Office 365 will not send DMARC aggregate reports to any sender domains RUA address configured in their DMARC record.

DMARC Data Providers

You can find an example of DMARC Data Reporters

The Reports are slightly different for each Region. For Example, in America Exchange Online (Enterprise Outlook) is at the 5th Place. If you combine Exchange Online and Microsoft is Number 3 for delivering DMARC Aggregate Reports.

Figure 7 DMARC Data Reporters

According to DMARCAdvisor the Aggregate Reports have been doubled overnight, when Microsoft started to send out DMARC Aggregate Reports. Regarding theyr numbers, in the second week of April, they processed almost 33 million reports from Enterprise Outlook. For Example you can see the DMARC Aggregate reports from a Company in Netherlands - there is a massive Change in April 2023.

Figure 8 DMARC Aggregate Reports changed in April

Conclusion / Summary

By sending DMARC RUA Reports from Exchange Online, Microsoft has become one of the Providers for DMARC Aggregate Reports. The chances that you get back a DMARC Aggregate Report from a Receiving Infrastructure for your Domain have significantly increased and therefore made the DMARC Policy even more useful.

The Feedback loop that DMARC provides, enables the Domain Owner to fix and strengthen the Records and set the DMARC Policy from p=none to p=reject.

DMARC, with its integration of SPF and DKIM, provides a powerful tool to combat email spoofing, phishing attacks, and brand impersonation. By adopting DMARC, organizations can strengthen their email security, improve deliverability rates, and establish trust with their recipients, ultimately safeguarding their brand and maintaining a secure communication channel.

Andres Bohren

Exchange Logo