Increasing DMARC Aggregate Reports in Cisco ESA
Though Cisco email security appliances (ESA) can be configured to send DMARC aggregate (RUA) reports, they have a limited number of daily DMARC reports they provide. This limit can be easily reached by organizations sending large volumes of email, especially if multiple subdomains are seen in the From header of messages received.
The number of subdomains seen is an issue because of a deficiency in how the Cisco IronPort system generates DMARC reports. Instead of creating a single XML report containing data for the top-level domain and any subdomains (e.g. example.com along with www.example.com, server.example.com, etc), each server instance generates a completely separate report for each—this causes the limit to be reached rapidly.
Increasing the daily limit will ensure that you have the proper visibility and are helping other organizations with their DMARC projects.
The daily DMARC report default setting is 1000, which can be increased only through the command-line interface (CLI). Increasing the RUA report limit may have an impact on the performance of on-premise setups and less likely so for Cisco Cloud Email Security (IPHMX). We recommend first raising the limit to 4000 reports, and then to 8000 reports if the performance is not impacted. A sudden drop in processed DMARC reports is an indication of performance being compromised.
How to Increase Daily DMARC Reports
DMARC configuration options are accessed via CLI through the dmarcconfig command.
The following is the series of commands for increasing the number of daily DMARC RUA reports:
The following is the result of the changes. Compared to the example above where we started with the CLI, you can see that the limit of aggregate reports has been increased to 4000 and an email address has been added for reports.
If you have any questions about how to increase your daily aggregate reports in Ironport, let us know.
We’re Here to Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.