What is the difference between aggregate report and forensic report?

An aggregate report is an XML feedback report designed to provide visibility into emails that passed or failed SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).

The report provides domain owners with precise insight into:

  • The authentication results, and
  • The effect of the domain owner’s DMARC policy

The report contains the following:

  • The domain or organization that sent the report
  • The domain that you are receiving the report for and its current DMARC policy
  • Date
  • Sending IP address
  • Email count
  • The disposition of those emails ie. the policy that was applied to those emails by the receiver
  • The SPF identifier and result, if any
  • The DKIM identifier and result, if any

The DMARC forensic reports include additional information such as the subject line, header information (i.e. “To” and “From”), URLs included and attachment information.

DMARC forensic reports are generated by an ISP when the SPF or DKIM does not align with DMARC. These reports are only created when the ISP receives a message that fails DMARC authentication. Forensic reports contain sample data indicating that there is an issue with a certain source, mailstream or sending IP. The forensic reports contain message-level data, “To” and “From” email addresses and the IP addresses of the sender. It is also possible to see the body of a message.

Forensic reports could contain the following information:

  • Subject line
  • Time when the message was received
  • IP information
  • Authentication results
    • SPF result
    • DKIM result
    • DMARC result
  • From domain information
    • From address
    • Mail from address
    • DKIM from address
  • Message ID
  • URLs
  • Delivery result
  • What was the applied policy, the message could be rejected if there’s a reject policy in place, or quarantined, or delivered because of a none policy
  • ISP information