Marking Sources
After you set up DMARC for your domains, you must work with the various types of email sources the system identifies before you can enable DMARC enforcement. The system learns from your actions with the various sources and after sufficient exposure, you can enable DMARC enforcement.
Before you begin, it is helpful to understand some vocabulary.
- Unknown Sources – Sources that you have not identified yet, that are sending email while impersonating your domain, so it looks like the email is coming from you. You can choose to approve these sources as legitimate or not. For example, if you are using a mail delivery service, like MailChimp, to send out your marketing materials, that source might be legitimate and can be marked as Approved. Conversely, a source that is impersonating one of your domains to send scam emails is not legitimate and should be marked as Not Approved.
- High Volume Sources– Sources that are impersonating your domain and sending out large quantities of email. As mentioned above, you might hire a marketing company to be a high volume source on your behalf.
- Low Volume Sources– Sources that are also impersonating your domain and sending out email, but in small quantities. Low volume sources usually comprise such a small amount of your total mail that it is usually acceptable to just mark them as Not Approved.
- Approved – Sources that you have identified as safe to be sending email from your domain.
- Not Approved – Sources that you have identified as unsafe and should not be sending email from your domain. This can also include low volume sources.
High Volume Sources
To evaluate and categorize High Volume Sources:
- On the Domains page, if there are high volume sources, click Review High Volume Sources.
If you are already on the Sources Identified by DMARC page, select the Unknown tab. - On the Sources Identified by DMARC page, review the domains in the High Volume Sources section. There are likely to be only a handful of these sources.
- If you recognize a source as legitimate, click Mark as Approved. The source will be placed in the Approved list.
- If you do not recognize a source, consider it to be a safety risk and click Mark as Not Approved. This places the source in the Not Approved list.
- Note that marking as Approved or Not Approved is for your sorting and organizational purposes; it does not prevent the source from using your domain to send spam or phishing emails. However, this categorization allows Barracuda to help you with DMARC enforcement in Step 3.
You can undo your marking of the source if needed. The Undo link is available until you leave or refresh this page. To change how you mark a source, see Changing Source Marking below.
After you mark a source as Approved or Not Approved, the source no longer appears in the High Volume Sources section. It is now located in the Approved or Not Approved list. Refer to Changing Source Marking at the end of this article for information on changing categories, if needed.
Low Volume Sources
To evaluate and mark Low Volume Sources:
- On the Sources Identified by DMARC page, select the Unknown tab.
- Review and categorize the domains in the Low Volume Sources section. There might be a large number of these sources.
- If you recognize a source as legitimate, click Mark as Approved. The source will be placed in the Approved list.
- If you do not recognize a source, consider it to be a safety risk and click Mark as Not Approved. This places the source in the Not Approved list.
- Note that marking as Approved or Not Approved is for your sorting and organizational purposes; it does not prevent the source from using your domain to send spam or phishing emails. However, this categorization allows Barracuda to help you with DMARC enforcement in Step 3.
You can undo your marking of the source if needed. The Undo link is available until you leave or refresh this page. To change how you mark a source, see Changing Source Marking below.
After you mark a source as Approved or Not Approved, the source no longer appears in the High Volume Sources section. It is now located in the Approved or Not Approved list. Refer to Changing Source Marking at the end of this article for information on changing categories, if needed.
Approved Sources
The Approved Sources list, displayed under the Approved tab, includes sources you marked as Approved – meaning that you consider them to be legitimate. Sources are sorted by the number of emails reported, from greatest to least. Use the Search field to locate specific senders by domain name.
After a period of data gathering, some sources within the Approved Sources category will pass DMARC authentication and others will not. Status displays as a percent of passed or failed incidents in green or red, depending on which is the majority of outcomes. Click Investigate to learn more about the DMARC authentication status for a certain sender.
After investigation, you might decide to mark a domain as Not Approved. To do this, click the arrow next to the word Approved. Then select Mark as Not Approved.
Investigating Reports
When you click Investigate, all reports appear for that domain, sorted into two categories, found on two tabs – Fail and Pass. You can also view failure samples.
Fail Tab
The Fail tab includes the percentage of your total email traffic that failed DMARC authentication. In the Fail table, you can see how many reports failed and their percentage of your total failed reports each comprises. The Status columns for both SPF and DKIM show specific passes and/or failures and whether there was any misalignment. Follow the links in the last column to address any failures shown in red on this page. The links in the last column will lead to specific information for certain domains, if available. Otherwise, the links will lead to the following Campus articles:
Pass Tab
The Pass tab includes the percentage of your total email traffic that passed DMARC authentication. In the Pass table, you can see how many individual reports passed DMARC and their percentage of your total passed reports each comprises. The Status columns for both SPF and DKIM show specific passes and/or failures and whether there was any misalignment. No action is required for reports in the Pass tab.
Failure Samples
Failure reports, also called RUF (Reporting URI for Forensic reports), are sent to you when a receiver rejects a message based on your DMARC policy. Failure reports, when present, can be useful for troubleshooting, helping you to identify bugs in your own mail system as well as to identify some impersonation and phishing attacks. When you investigate a domain with Barracuda, you can view samples of failures. In the top right corner of the page, click View Failure Samples. Each line is a separate report and can include one or more emails. Click View to see details about the email itself, the email header, and the failure report. You can download the email as well as copy the report and header information for use outside of Barracuda.
Changing Source Marking
If you make a mistake or change your mind while marking sources as Approved or Not Approved, you can make changes.
Sources that you have marked Approved or Not Approved appear in the lists by those names. At the top of the Sources Identified by DMARC page, select the Approved or Not Approved tab to view sources in those categories.
To change the categorization of a source:
- Review the list in the appropriate tab.
- In the Approved tab, locate the appropriate source and click the arrow next to the word Approved. Then select Mark as Not Approved.
In the Not Approved tab, locate the appropriate source and click the arrow next to the words Not Approved. Then select Mark as Approved. - Repeat with other sources, if needed.
The sources will appear in the appropriate category – Approved or Not Approved. Once you have looked at a source, you can no longer categorize it as Unknown.
When the system is has learned enough to enforce DMARC, a button appears. Continue the process with Step 3 - Enabling DMARC Enforcement.