DMARC allows you to specify a destination for aggregate (rua) and forensic (ruf) reports with regard to emails (that claim to be) from your domain. This also allows you to detect when a malicious script on one or more of your own servers sends unsolicited email.
Last week we saw a huge increase in the number of aggregate and forensic reports for one of our users. We have informed the user and after resolving the problem, they have given us permission to use their anonymized data so that we can show others how to detect and resolve this type of abuse.
When a malicious script sends (huge amounts of) emails, the biggest problem is that SPF will not fail because the email actually originates from your server(s). If messages are sent through your MTA, the email is probably also signed with DKIM. Because both SPF and DKIM will align the receiving mail servers will not reject the messages based on the DMARC policy.
The first thing you will probably notice is the huge increase in the number of reports you receive. If your domain normally sends about 100 emails a day, and suddenly you receive reports for more than 190,000 emails, you are likely to have a problem.
Have look at the reports above. You can probably guess when the malicious script started sending emails.
As soon as recipients start marking messages as spam and receiving servers automatically quarantine the messages, the forensic reports will also start flowing in. These reports contain more valuable information such as the name of the sender, the email subject and the message headers.
The message headers may contain data that can lead you to the correct server and even the exact filename responsible for sending the message. This allows you to detect and remove the cause and prevent more emails from being sent.
As you can see, URIports helps you to detect and solve all kinds of problems with your website and email server. If you haven't set up SPF, DKIM and DMARC yet, get right to it. More about email security can be read in my previous blog here.