All Collections
Using the OnDMARC App
Reports
How to interpret Sender results from the Reports section of OnDMARC
How to interpret Sender results from the Reports section of OnDMARC

Information on the results found in the reports section and some explanation for each and why they may be encountered.

Ivan Kovachev avatar
Written by Ivan Kovachev
Updated over a week ago

Here is a guide that should help you interpret the results shown under the Senders tab of the Reports section of the OnDMARC app.

  • I use the source and it is green

This indicates that your source has been successfully configured.

  • I do not use the source and it is green

It indicates a message sent from legitimate source then relayed by the source in green.

  • I use the source and it is red

It indicates that it is misconfigured, it will have to be added as a legitimate source in  Email Sources and configured correctly.

  • I do not use the source and it is red

Likely to be spoof/spam source or it is a source that is relaying messages from a misconfigured source.

  • I use the source and it is amber

It indicates that the source is likely configured correctly but the report is showing older results prior to the correction. You can in this case change the time period to more recent and see if the source becomes green. If it is still amber then the source may be partly configured and it's configuration needs to be revisited.

  • I do not use the source and it is amber

Indicates that mail is relayed from a source that was misconfigured before but is now correctly configured. So again if you change the time period to more recent you should see the source as now green. If it remains amber then there might be more sources (sending on your behalf) that have been misconfigured and will need to be configured as well.

Example 1: (your mail is hosted on google & adzuna's mail is hosted on google)
you (google) --> adzuna (google)--> destination
In this case you may have had google misconfigured and see it as amber in which case you will see adzuna as also amber. Once you configured your google source correctly then you should see google as green and adzuna as green.

Example 2: (your mail is hosted on google and you are aalso hosted on office 365 and you send email from both sources to adzuna which then forwards to the destination)
In this example you will be sending email originating from two sources. If you fix only google then adzuna will still show as amber. Only once you fix office 365 as well then you will see all as green.

  • How to determine that unknown source is legitimate

Indication might be the actual source of the emails and the amount of emails. For example, if you see gsuite as source and it is red but thousands of emails fail from this source, then this is very likely to be a legitimate source that you need to take into account for two reasons; one because it is from gsuite and gsuite is a reputable source and second because of the amount of emails that are failing. 

  • SPF is 0% but DKIM is at 100%  

This indicates that your mail has been forwarded and SPF does not survive forwarding, however, DKIM did survive the forwarding. Or it could also mean that SPF is not configured for this source, only DKIM.

  • DKIM is 0% but SPF is at 100%  

This might indicate two things. One that DKIM is not configured for this source; or that because SPF passed and aligned, there is no need for DKIM to be checked so it will remain at 0%. In cases where SPF does not pass DKIM will be validated.

NOTE: It is important to look at the sources with most amount of traffic and deal with them first. If you recognise them as legitimate and you configure them correctly then this in turn may solve issues for sources with less traffic where they have forwarded on your behalf. Once this is done, monitor the results and see if it makes a difference. Over time the compliance graph will become more green and less red as you reach full DMARC reject. This is because you have configured all your sources and configured them correctly which in turn pushes spoofers away until they stop impersonating you.

 


Did this answer your question?