Skip to content

Regarding the Use of CMC Domain Protection

To use CMC Domain Protection, purchasing the CMC Domain Protection plan is required.

DMARC Reporting

This document describes the DMARC report from CMC Domain Protection, explaining its content and how to interpret it. The report shows the DKIM and SPF authentication results for emails originating from your domain and indicates DMARC authentication success. This information is crucial for understanding and mitigating email spoofing.

To access the DMARC reports, log in to the CMC Domain Protection management console and navigate to the "Reports" tab. You will find three types of reports.

  • Summary
  • Weekly tally
  • Daily tally

Common search items

In all report tabs, you can filter the reports displayed by the following items:

  • Organizational Domain: Select the organization domain you want to monitor.
  • Header From Domain: Select the From domain of the header of the sent email. Use this when you want to narrow down the analysis to a specific From address domain.
  • Target period: Select the collection period for the DMARC report. You can select the statistical period for the past 3 months.

Summary

On the "Summary" tab, you can check the DMARC authentication rate for the selected organization domain, header "From" domain, and sending organization domain for the target period.

Note

The sender organizational domain is the domain obtained by reverse DNS lookup of the sending server IP address. It is usually the organization domain (e.g.smtps.jp, google.com) will be displayed, and if the URL is unknown, a hyphen (-) will be displayed.Also,If the value is greater than "0" percent and less than "1" percent, it is displayed as "< 1%."

report

Item Description
Sender Organizational Domain This indicates the organizational domain (the domain one level below the top-level domain (TLD)) that is obtained by DNS reverse lookup of the sender IP address. If there is no reverse lookup, a hyphen (-) is displayed.
Count The total number of emails processed during the period covered.
DMARC Pass This indicates the percentage of emails that passed DMARC authentication.
DKIM alignment Pass This shows the percentage of emails that passed DMARC DKIM authentication. For DMARC evaluation, the DKIM signature must be aligned (matched or related) with the From header domain.
SPF alignment Pass This represents the percentage of emails that passed only DMARC SPF authentication. DMARC evaluation requires that the SPF-authenticated envelope From domain is aligned (matched or related) to the header From domain.
DKIM Pass This represents the percentage of emails that have been successfully authenticated by DKIM, regardless of the DMARC evaluation. Even if the alignment (matching or relevance) required for DMARC authentication is not achieved, it will be counted as long as the DKIM authentication itself is successful.
SPF Pass This represents the percentage of emails that passed SPF authentication, regardless of the DMARC evaluation. Even if the alignment (match or relevance) required for DMARC authentication is not achieved, it will be counted as long as the SPF authentication itself is successful.

Downloading data for analysis

The analysis data is DMARC reports (rua reports) converted to CSV format with the information necessary for improving DMARC policies added. By downloading it, you can analyze it in more detail using tools such as Excel or create your own reports. For more information on the analysis data, please seeDownload dataPlease check.

Weekly report

The "Weekly" tab displays the weekly summary of DMARC authentication results for the selected organization domain, header "From" domain, and sending organization domain for the target period.

Notice

The target period for weekly calculations is a period that starts on Sunday and ends on Saturday. Therefore, only periods that start on Sunday and end on Saturday can be selected as the search period.

report

Item項目 Description
Data period Represents the period covered by the aggregation (weekly: starting on Sunday and ending on Saturday).
Header-from Domain This represents the From header domain of the outgoing email as listed in the DMARC report.
Sender Organizational Domain The domain obtained by reverse DNS lookup of the sender IP address is the organization domain (top domain) If there is no reverse lookup, a hyphen (-) is displayed.
Count The total number of emails processed during the period covered.
Policy (apply/publish) It represents the enforcement policy (the policy that has actually been enforced) and the published policy that has been published in DNS.
DMARC results Represents the DMARC authentication result.
DKIM results (alignment/normal) This shows the DKIM authentication result from the DMARC perspective and the regular DKIM authentication result.
If DKIM authentication passes in the DMARC evaluation, DKIM in DMARC passes. In the DMARC evaluation, the DKIM signature must be aligned (matched or related) with the header From domain. If DKIM authentication passes regardless of the DMARC evaluation, DKIM usually passes.
*The alignment conditions are based on DMARC parameters (adkim).
SPF results (alignment/normal) This shows the SPF authentication result from the DMARC perspective and the normal SPF authentication result.
If the SPF authentication is passed in the DMARC evaluation, the DMARC SPF is passed. In the DMARC evaluation, the SPF authenticated envelope From domain must be aligned (matched or related) with the header From domain. If the SPF authentication is passed regardless of the DMARC evaluation, the SPF is usually passed.
*The alignment conditions are based on DMARC parameters (aspf).
DKIM Selector The DKIM selector name used for DKIM authentication.
*If multiple DKIM signatures are attached to an email,Multiple DKIM entries in the DMARC reportIf multiple DKIM information exists in the DMARC report, one representative DKIM information will be retrieved and displayed. The priority of the retrieved DKIM information is as follows:
Priority 1) The DKIM signing domain (the value of the d= tag) is the same as the domain in the From header
Priority 2) The organizational domain of the DKIM signing domain (the value of the d= tag) is the same as the organizational domain of the From header
Priority 3) First mentioned in the rua report
DKIM Domain The DKIM domain name used for DKIM authentication.
*If multiple DKIM signatures are attached to an email,Multiple DKIM entries in the DMARC reportIf multiple DKIM information exists in the DMARC report, one representative DKIM information will be retrieved and displayed. The priority of the retrieved DKIM information is as follows:
Priority 1) The DKIM signing domain (the value of the d= tag) is the same as the domain in the From header
Priority 2) The organizational domain of the DKIM signing domain (the value of the d= tag) is the same as the organizational domain of the From header
Priority 3) First mentioned in the rua report
SPF Domain The domain name used for SPF authentication.
Forwarded (ARC) If the DMARC report contains messages that were excluded from forwarding due to ARC or other reasons, Yes will be displayed.

Daily report

The "Daily" tab displays the DMARC authentication results for the selected organization domain, header "From" domain, and sending organization domain on a daily basis for the target period.

The main summary items are almost the same as the weekly summary report, but the Sender IP address is added.

report

Item Description
Statistics day Indicates the date for which the calculation is performed.
Header-from domain Represents the From domain in the outgoing email header.
Sender IP address Represents the source IP address.
Sender Organizational Domain This indicates the organizational domain (the domain one level below the top-level domain (TLD)) that is obtained by DNS reverse lookup of the sender IP address. If there is no reverse lookup, a "- (hyphen)" is displayed.
Count The total number of emails processed during the period covered.
Policy (apply/publish) Represents enforcement and publishing policies.
DMARC Results Represents the DMARC authentication result.
DKIM results (alignment/normal) This shows the DKIM authentication results from the DMARC perspective and the regular DKIM authentication results listed in the DMARC report.
If DKIM authentication passes, DKIM will usually pass. For DMARC evaluation, the DKIM signature must be aligned (match or correlate) with the From header domain.
*The alignment conditions are based on DMARC parameters (adkim).
SPF results (alignment/normal) This shows the SPF authentication result from the DMARC perspective and the regular SPF authentication result described in the DMARC report.
If SPF authentication is passed, SPF is usually passed. For DMARC evaluation, the SPF-authenticated envelope From domain must be aligned (match or correlate) with the header From domain.
*The alignment conditions are based on DMARC parameters (aspf).
DKIM Selector DThis shows the DKIM selector name used for DKIM authentication listed in the DMARC report. (Representative value: If there are multiple values, the representative value is the record with the closest DKIM domain to the From domain in the header.)
*If there are multiple records on the DMARC report, the DKIM selector name of the record with the same domain name as the Header-from will be displayed. (If there is no same domain and there are multiple records, the DKIM selector name of the top record will be displayed in Alphanumeric Sort.
DKIM Domain This shows the DKIM domain name used for DKIM authentication listed in the DMARC report. (Representative value: If there are multiple values, the representative value is the record with the closest DKIM domain to the From domain in the header.)
*If there are multiple records on the DMARC report, the DKIM domain name of the record with the same domain name as the Header-from will be displayed. (If there is no same domain and there are multiple records, the DKIM domain name of the top record will be displayed in Alphanumeric Sort.
SPF Domain This represents the domain name used for SPF authentication as listed in the DMARC report.
Forwarded (ARC) If the DMARC report contains messages that were excluded from forwarding due to ARC or other reasons, Yes is displayed.

These reports can help you understand the following information and move forward with upgrading your DMARC policy (from p=none to p=quarantine to ultimately p=reject):

  • Check for email senders that your company does not recognize
  • Identifying the source of spoofed emails
  • Check and improve the authentication status of legitimate email senders (DKIM, SPF success rate)
  • Identifying mail servers that do not support sending domain authentication

Upgrading your DMARC policy may require specialized knowledge of DMARC and coordination with internal and external parties. HENNGE offers "Advisory Services (Consulting)" in such cases to ensure smooth DMARC implementation and policy upgrades.
We support:

Download data

  • Analysis data By clicking the "Download data for analysis" button in the upper right corner of the summary screen, you can download the data for analysis as a CSV file.

    The downloaded CSV file will contain the following header columns:

    Note

    A data source refers to the source from which data is obtained.

    rua report: Values ​​taken directly from the DMARC RUA report

    Extension: Value verified and calculated by CMC Domain Protection based on the RUA report

    Header Column Name Data Source Description
    meta_org_name rua Report Report sending organization name
    /feedback/report_metadata/org_name for rua reports
    ext_org_name_domain Expansion Report sending organization domain
    The value of the extracted organizational domain of meta_org_name. If meta_org_name is not in the form of a domain, it represents the value of meta_org_name as is.
    ext_report_date Expansion Report Date
    Represents the extracted value of the date portion of the rua report /feedback/report_metadata/date_range/end.
    ext_file_name rua Report Report File Name
    rua Represents the name of the report XML file.
    rec_row_sip rua Report Source IP address
    Represents the /feedback/record/row/source_ip in the rua report.
    ext_rec_row_sip_ptr Expansion Sender Organizational Domain
    FQDN obtained by reverse lookup of the sender IP address. If reverse lookup is not possible, a hyphen (-) is displayed.
    dmarcrecordid Expansion Internal ID
    rua Represents the report receiving address identifier.
    ext_registered
    _dmarc_domain    		 Expansion DMARC setting registered domain
    This represents the domain for which the DMARC record was generated on the DMARC settings screen.
    dmarc_report_id Expansion Internal ID
    rua Represents the primary key of the report.
    dmarc_report_record_id Expansion 内Internal ID
    rua Represents the primary key of the report detail.
    version rua Report Report Version
    Represents the /feedback/version of the rua report.
    meta_report_id rua Report Report ID
    Represents the /feedback/report_metadata/report_id of the rua report file.
    meta_dtrange_begin rua Report Report period start date and time
    Represents /feedback/report_metadata/date_range/begin in the rua report file.
    *This is absolute time in ISO8601 format.
    meta_dtrange_end rua Report Report period end date
    /feedback/report_metadata/date_range/end of the rua report file
    *This is absolute time in ISO8601 format.
    meta_email rua Report Report sender email address
    Represents /feedback/report_metadata/meta_email in the rua report file.
    meta_extra_contact rua Report Add report sendercontactFirst
    Represents /feedback/report_metadata/extra_contact_info in the rua report file.
    meta_error rua Report Error Message
    Represents /feedback/report_metadata/error in the rua report file.
    polpub_domain rua Report Public Domain
    Represents /feedback/policy_published/domain in the rua report file.
    polpub_adkim rua Report Public DKIM Alignment Mode
    Represents /feedback/policy_published/adkim in the rua report file.
    polpub_aspf rua Report Public SPF alignment mode
    Represents /feedback/policy_published/aspf in the rua report file.
    polpub_p rua Report Disclosure Policy
    Represents /feedback/policy_published/p in the rua report file.
    polpub_sp rua Report 公Public Subdomain Policy
    Represents /feedback/policy_published/sb in the rua report file.
    polpub_pct rua Report 公Public policy enforcement rate
    Represents /feedback/policy_published/pct in the rua report file.
    polpub_fo rua Report Publishing failure reporting options
    Represents the /feedback/policy_published/fo of the rua report file.
    polpub_np rua Report 公Public Non-existent Subdomain Policy
    /feedback/policy_published/np in the rua report fileRepresents:
    rec_row_cnt rua Report Number of emails
    Represents the /feedback/record/row/count in the rua report file.
    rec_row_poleval_disp rua Report Applicable policies
    Represents /feedback/record/row/policy_evaluated/disposition in the rua report file.
    rec_row_poleval_dkim rua Report DKIM authentication results (DMARC)
    Represents /feedback/record/row/policy_evaluated/dkim in the rua report file.
    rec_row_poleval_spf rua Report SPF authentication result (DMARC)
    Represents /feedback/record/row/policy_evaluated/spf in the rua report file.
    rec_row_poleval
    _rsn_type    		 rua Report Policy enforcement reason type
    Represents /feedback/record/row/policy_evaluated/reason/type in the rua report file.
    rec_row_poleval
    _rsn_comment    		 rua Report Policy application reason comment
    Represents /feedback/record/row/policy_evaluated/reason/comment in the rua report file.
    rec_id_env_to rua Report Envelope To
    Represents /feedback/record/identifiers/envelope_to in the rua report file.
    rec_id_env_from rua Report Envelope From
    Represents /feedback/record/identifiers/envelope_from in the rua report file.
    rec_id_header_from rua Report Header From
    Represents /feedback/record/identifiers/header_from in the rua report file.
    rec_auth_spf_domain rua Report SPF verified domain
    Represents /feedback/record/auth_results/spf/domain in the rua report file.
    rec_auth_spf_scope rua Report SPF Verification Scope
    Represents /feedback/record/auth_results/spf/scope in the rua report file.
    rec_auth_spf_result rua Report SPF authentication result(Normal)
    Represents /feedback/record/auth_results/spf/result in the rua report file.
    ext_rec_auth_dkim_cnt Expansion Number of DKIM elements
    /feedback/record/auth_results/dkim in the rua report file Represents the number of elements in .
    rec_auth_dkim_domain rua Report DKIM Verification Domain
    Represents /feedback/record/auth_results/dkim/domain in the rua report file.
    rec_auth_dkim_selector rua Report DKIM Verdict Selectors
    Represents /feedback/record/auth_results/dkim/selector in the rua report file.
    rec_auth_dkim_result rua Report DKIM authentication results(Normal)
    Represents /feedback/record/auth_results/dkim/result in the rua report file.
    rec_auth_dkim
    _extra_human_result    		 rua Report DKIM Verification Results Supplement
    Represents /feedback/record/auth_results/dkim/extra_human_result in the rua report file.
    ext_is_from_cmc Expansion Customers Mail Cloud Send Flag
    The email is sent from an organization domainFlag to determine whether it is Customers Mail Cloud (smtps.jp)It will beIf the email is sent from Customers Mail Cloud, trueIt will be.
    ext_is_sip_expected Expansion SPF Origin Verification Flag
    This indicates the result of re-verifying SPF on the Domain Protection side based on the Envelope From and the sender IP address. If the sender IP address is included in the SPF record, it will be true.
    ext_rec_row_sip_country Expansion Country Code
    *Currently, country code output is not implemented.
    ext_rec_row_sip
    _ptr_domain    		 Expansion Sender Organizational Domain
    This indicates the organization domain found by reverse lookup of the sender IP address.
    ext_rec_row_poleval
    _dmarc    		 Expansion DMARC authentication results
    Indicates whether the DMARC evaluation has passed either DKIM or SPF.
    ext_rec_type Expansion Record Type
    This indicates the code corresponding to the type displayed on the dashboard. 1: Both DKIM and SPF succeeded, 2: Only DKIM succeeded, 3: Only SPF succeeded, 4: Forwarded, 5: DMARC failed
    ext_reverse_header_from Expansion Reverse Header From
    This field represents the reversed order of each part of the domain name in the Header From field. This field is used to sort the From field.

  • Weekly aggregate data

    Click the "Download" button in the upper right corner of the weekly summary screen to download the currently displayed weekly summary data (data narrowed down by search criteria) as a CSV file.

    The downloaded CSV file will contain the following header columns:

    Header Column Name Screen Items
    Start Date Data period (start date)
    End Date Data period (end date)
    Header From Header-from Domain
    Sender Organizational Domain Sender Organizational Domain
    Message Count Count
    Evaluated Policy Policy (apply)
    Published Policy Policy (publish)
    DMARC Result DMARC results
    DMARC: DKIM Result DKIM results (alignment)
    DKIM Result DKIM results (normal)
    DMARC: SPF Result SPF Results (alignment)
    SPF Result SPF results (normal)
    DKIM Selector DKIM Selector
    DKIM Domain DKIM Domain
    SPF Domain SPF Domain
    Forwarded Forwarded (ARC)

  • Daily aggregate data

    Click the "Download" button in the upper right corner of the daily summary screen to download the currently displayed daily summary data (data narrowed down by search criteria) as a CSV file.

    The downloaded CSV file will contain the following header columns:

    Header Column Name Screen Items
    Date Statistics day
    Header From Header-from domain
    Sender IP Address Sender IP address
    Sender Organizational Domain Sender Organizational Domain
    Evaluated Policy Policy (apply)
    Published Policy Policy (publish)
    Message Count Count
    DMARC Result DMARC results
    DMARC: DKIM Result DKIM results (alignment)
    DKIM Result DKIM results (normal)
    DMARC: SPF Result SPF Results (alignment)
    SPF Result SPF results (normal)
    DKIM Selector DKIM Selector
    DKIM Domain DKIM Domain
    SPF Domain SPF Domain
    Forwarded Forwarded (ARC)