We have added functionality that enables customers to filter forensic reports based on the following pieces of information:

  • from

  • subject

  • authservId

  • spf

  • dkim

  • dkimDomain

  • senderIP (with CIDR syntax)

The authservID, spf, dkim, dkimDomain and senderIP are all taken from the “authentication-results:” email header. An example is shown below.

To search for reports that have soft failed SPF you would type the following:


You could also combine searches such as in the following examples:

+spf:softfail +senderIP:  - prefixing the two with “+” brings back results that contain both ie. AND operation. 

spf:softfail senderIP: - not prefixing the two words with “+”brings back results that contain either one ie. OR operation. 

For further explanation please see our video below.

Did this answer your question?