Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3060
Views
0
Helpful
5
Replies

Does ESA send DMARC Failure reports ?

taagaard
Level 1
Level 1

‎08-03-2020 01:52 PM

Hi,

 

Does the Email Security Appliance send DMARC Failure reports ( to the ruf address tag ) when dmarc verifications fails ?

 

Thanks

Torben

Labels:
0 Helpful
5 Replies 5

ppreenja
Cisco Employee
Cisco Employee

‎08-05-2020 03:11 AM

Hello Torben,

You can configure ESA for generating DMARC aggregation report, please refer to the below link for more details:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-5-1/user_guide/b_ESA_Admin_Guide_13-5-1/b_ESA_Admin_Guide_12_1_chapter_010110.html#con_1148226

I hope the above helps.

Cheers,
Pratham
0 Helpful

taagaard
Level 1
Level 1
In response to ppreenja

‎08-06-2020 05:01 AM

Hello,

 

Yes - but the question was if the appliances sends Failure reports ? I guess the answer is no.

 

BR Torben

 

0 Helpful

marc.luescherFRE
Spotlight
Spotlight
In response to taagaard

‎08-06-2020 05:33 AM

Hi Torben,

 

please define failure reports...

 

I assume you mean if the ESA notifies you if a RUA or RUF report requested by a 3rd party sender  does bounce. If this is the case then the answer is no. You will need to monitor your ESA delivery queue as the ESA will continue to deliver those reports over and over again.

 

This would be a good feature request to have an exception table so you could add such domains.

 

Regards

Marc

0 Helpful

taagaard
Level 1
Level 1
In response to marc.luescherFRE

‎08-06-2020 06:12 AM

Hi Marc,

 

I do mean RUF reports. Apparently the ESA does not send those at all.

 

The problem with delivering/bouncing reports ( both RUA and RUF ) is a different discussion.

 

On a side note - I have noticed the sometimes the ESA does not send aggregate reports. Running 13.0.0 and I am not sending more than 1000 reports/day. Guess I have to create a support case for that...

 

 

BR Torben

0 Helpful

Tomki
Level 1
Level 1
In response to taagaard

‎10-21-2021 11:51 PM

Hello,

the limit of 1000 reports *can* be modified per-system via the dmarcconfig command (CLI), but the limit is typically hit because of a separate bug on the IronPorts.  Due to performance implications, the limit of 1000 probably shouldn't be modified too much - ask that Cisco fix the actual bug here instead: CSCuu91689 (not customer visible in Cisco's bug tracker).

 

When sending DMARC RUA, the ESA will generate a separate file+RUA email for *every* domain. www.domain.com, mx01.domain.com, blahdeyblah.domain.com - and each counts against the daily limit of 1000. The intended RUA generation is that any subdomain without its own DMARC policy has data rolled up into the top domain file.  This is why each record row in the XML file has a 'header_from' field.

Since fraud often uses subdomains in From header, a single domain campaign could exhaust an ESA's report limit.

 

0 Helpful
Customers Also Viewed These Support Documents