DMARC failure email samples

DMARC Failure Data index="email" (sourcetype="dmarc:failure" OR sourcetype="dmarc:forensic") (parsed_sample.headers.From=$header_from$ OR NOT parsed_sample.headers.From=*) (parsed_sample.headers.To=$header_to$ OR NOT parsed_sample.headers.To=*) (parsed_sample.headers.Subject=$header_subject$ OR NOT parsed_sample.headers.Subject=*) (source.ip_address=$source_ip_address$ OR NOT source.ip_address=*) (source.reverse_dns=$source_reverse_dns$ OR NOT source.reverse_dns=*) (source.country=$source_country$ OR NOT source.country=*) | table * $time_range.earliest$ $time_range.latest$

Message header from * Message header to * Message header subject * Source IP address * Source reverse DNS * Source country ISO code * Time range -90d@d now

About DMARC failure reports (RUF)

DMARC failure reports (RUF) contain an email sample that failed DMARC. These can be very useful for DMARC troubleshooting and phishing investigations. However, most email providers do not send failure reports, or may only supply the message headers for privacy reasons.

If you want to ensure that email samples are not saved here, do not set a ruf address in your domain's DMARC record.

DMARC failure email samples | eval from=coalesce('parsed_sample.from.display_name'." <".'parsed_sample.from.address'.">", 'parsed_sample.from.address') | eval reply_to=coalesce('parsed_sample.reply_to{}.display_name'." <".'parsed_sample.reply_to{}.address'.">", 'parsed_sample.reply_to{}.address') | rename parsed_sample.subject as subject | table arrival_date_utc, source.ip_address, "from", subject, reply_to, authentication_results | sort -arrival_date_utc