We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Step 2 - Working with Email Sources

  • Last updated on

You must complete all three steps of this process to enable DMARC enforcement:

Marking Sources

After you set up DMARC for your domains, you must work with the various types of email sources the system identifies before you can enable DMARC enforcement. The system learns from your actions with the various sources and after sufficient exposure, you can enable DMARC enforcement.

Before you begin, it is helpful to understand some vocabulary.

  • Unknown Sources – Sources that you have not identified yet, that are sending email while impersonating your domain, so it looks like the email is coming from you. You can choose to approve these sources as legitimate or not. For example, if you are using a mail delivery service, like MailChimp, to send out your marketing materials, that source might be legitimate and can be marked as Approved. Conversely, a source that is impersonating one of your domains to send scam emails is not legitimate and should be marked as Not Approved. 
  • High Volume Sources– Sources that are impersonating your domain and sending out large quantities of email. As mentioned above, you might hire a marketing company to be a high volume source on your behalf. 
  • Low Volume Sources– Sources that are also impersonating your domain and sending out email, but in small quantities. Low volume sources usually comprise such a small amount of your total mail that it is usually acceptable to just mark them as Not Approved. 
  • Approved – Sources that you have identified as safe to be sending email from your domain.
  • Not Approved – Sources that you have identified as unsafe and should not be sending email from your domain. This can also include low volume sources. 
High Volume Sources

To evaluate and mark High Volume Sources: 

  1. On the Domains page, if there are high volume sources, click Review High Volume Sources.
    If you are already on the Sources Identified by DMARC page, select the Unknown tab.
  2. On the Sources Identified by DMARC page, review the domains in the High Volume Sources section. There are likely to be only a handful of these sources.
    • If you recognize a source as legitimate, click Mark as Approved. The source will continue to be able to send emails on your behalf. 
    • If you do not recognize a source, consider it to be a safety risk and click Mark as Not Approved. The source will no longer be able to send emails on your behalf. 
    Consider visiting the source of the email traffic. If available, a link is provided for you. 

You can undo your marking of the source if needed. The Undo link is available until you leave or refresh this page. To change how you mark a source, see Changing Source Marking below. 

After you mark a source as Approved or Not Approved, the source no longer appears in the High Volume Sources section. It is now located in the Approved or Not Approved list. Refer to Changing Source Marking at the end of this article for information on changing categories, if needed. 

Low Volume Sources

To evaluate and mark Low Volume Sources: 

  1. On the Sources Identified by DMARC page, select the Unknown tab.
  2. Review the domains in the Low Volume Sources section. There might be a large number of these sources.
    • If you recognize a source as legitimate, click Mark as Approved. The source will continue to be able to send emails on your behalf. 
    • If you do not recognize a source, consider it to be a safety risk and click Mark as Not Approved. The source will no longer be able to send emails on your behalf. 

Tip: Low Volume Sources are sorted by number of emails reported. Mark the entries with the largest numbers of emails reported first. Then, for the small sources, consider using the Mark All button to handle the small sources in bulk.

You can undo your marking of the source if needed. The Undo link is available until you leave or refresh this page. To change how you mark a source, see Changing Source Marking below. 

After you mark a source as Approved or Not Approved, the source no longer appears in the High Volume Sources section. It is now located in the Approved or Not Approved list. Refer to Changing Source Marking at the end of this article for information on changing categories, if needed. 

Approved Sources

The Approved Sources list, displayed under the Approved tab, includes sources you marked as Approved – meaning that you consider them to be legitimate. Sources are sorted by the number of emails reported, from greatest to least. Use the Search field to locate specific senders by domain name. 

After a period of data gathering, some sources within the Approved Sources category will pass DMARC authentication and others will not. Status displays as a percent of passed or failed incidents in green or red, depending on which is the majority of outcomes.  Click Investigate to learn more about the DMARC authentication status for a certain sender. 

After investigation, you might decide to mark a domain as Not Approved. To do this, click the arrow next to the word Approved. Then select Mark as Not Approved.

Investigating Reports

When you click Investigate, all reports appear for that domain, sorted into two categories, found on two tabs – Fail and Pass. You can also view failure samples. 

Fail Tab

The Fail tab includes the percentage of your total email traffic that failed DMARC authentication. In the Fail table, you can see how many reports failed and their percentage of your total failed reports each comprises. The Status columns for both SPF and DKIM show specific passes and/or failures and whether there was any misalignment. Follow the links in the last column to address any failures shown in red on this page. The links in the last column will lead to specific information for certain domains, if available. Otherwise, the links will lead to the following Campus articles:

Pass Tab

The Pass tab includes the percentage of your total email traffic that passed DMARC authentication. In the Pass table, you can see how many individual reports passed DMARC and their percentage of your total passed reports each comprises. The Status columns for both SPF and DKIM show specific passes and/or failures and whether there was any misalignment. No action is required for reports in the Pass tab. 

Failure Samples

Failure reports, also called RUF ( Reporting URI for Forensic reports), are sent to you when a receiver rejects a message based on your DMARC policy. Failure reports, when present, can be useful for troubleshooting, helping you to identify bugs in your own mail system as well as to identify some impersonation and phishing attacks. When you investigate a domain in Barracuda Sentinel, you can view samples of failures. In the top right corner of the page, click View Failure Samples. Each line is a separate report and can include one or more emails. Click View to see details about the email itself, the email header, and the failure report. You can download the email as well as copy the report and header information for use outside of Barracuda Sentinel. 

Changing Source Marking

If you make a mistake or change your mind while marking sources as Approved or Not Approved, you can make changes.

Sources that you have marked Approved or Not Approved appear in the lists by those names.  At the top of the Sources Identified by DMARC page, select the Approved or Not Approved tab to view sources in those categories. 

approvedTab.png

To change the categorization of a source:

  1. Review the list in the appropriate tab. 
  2. In the Approved tab, locate the appropriate source and click the arrow next to the word Approved. Then select Mark as Not Approved.
    In the Not Approved tab, locate the appropriate source and click the arrow next to the words Not Approved. Then select Mark as Approved.
  3. Repeat with other sources, if needed.

The sources will appear in the appropriate category – Approved or Not Approved. Once you have looked at a source, you can no longer categorize it as Unknown

When the system is has learned enough to enforce DMARC, a button appears. Continue the process with Step 3 - Enabling DMARC Enforcement.

Last updated on