{"id":284,"date":"2026-05-28T08:51:15","date_gmt":"2026-05-28T08:51:15","guid":{"rendered":"https:\/\/rbl.watch\/blog\/dmarc-raporlari-nasil-okunur-aggregate-forensic\/"},"modified":"2026-05-28T10:29:27","modified_gmt":"2026-05-28T10:29:27","slug":"dmarc-raporlari-nasil-okunur-aggregate-forensic","status":"publish","type":"post","link":"https:\/\/rbl.watch\/blog\/dmarc-raporlari-nasil-okunur-aggregate-forensic\/","title":{"rendered":"DMARC Raporlar\u0131 Nas\u0131l Okunur? Aggregate ve Forensic Rehberi"},"content":{"rendered":"<p>DMARC kayd\u0131 yay\u0131nlad\u0131n\u0131z, e-postalar\u0131n\u0131z Gmail&#8217;e ve Outlook&#8217;a g\u00fczelce ula\u015f\u0131yor. Peki ya bilmeden kand\u0131r\u0131lan e-postalar\u0131n\u0131z? Ya da SPF&#8217;ten ge\u00e7mesine ra\u011fmen DMARC&#8217;ta ba\u015far\u0131s\u0131z olan otomatik bildirimleriniz? Bu sorunlar\u0131n tek cevab\u0131 <strong>DMARC raporlar\u0131n\u0131 okumakt\u0131r<\/strong>.<\/p>\n<p>Bu rehberde DMARC raporlar\u0131n\u0131n iki t\u00fcr\u00fcn\u00fc (Aggregate ve Forensic), XML yap\u0131s\u0131n\u0131, hangi ara\u00e7larla parse edebilece\u011finizi ve hangi sinyallerin acil m\u00fcdahale gerektirdi\u011fini ad\u0131m ad\u0131m anlataca\u011f\u0131z.<\/p>\n<h2>DMARC Raporlar\u0131 Nedir, Neden \u00d6nemlidir?<\/h2>\n<p>DMARC kayd\u0131n\u0131zdaki <code>rua=<\/code> ve <code>ruf=<\/code> alanlar\u0131, d\u00fcnyadaki al\u0131c\u0131 sunucular\u0131n size geri bildirim g\u00f6ndermesini sa\u011flar. Her g\u00fcn Gmail, Microsoft, Yahoo, Apple ve di\u011fer b\u00fcy\u00fck sa\u011flay\u0131c\u0131lar, sizin domain&#8217;inizden iddia eden t\u00fcm e-postalar\u0131 DMARC kontrol\u00fcnden ge\u00e7irir ve sonu\u00e7lar\u0131 size raporlar.<\/p>\n<p>Bu raporlar olmadan:<\/p>\n<ul>\n<li>Kim domain&#8217;inizi spoof ediyor (taklit ediyor) <strong>bilemezsiniz<\/strong>.<\/li>\n<li>Hangi me\u015fru servislerinizin (ESP, transactional sunucu) DMARC&#8217;tan ba\u015far\u0131s\u0131z ge\u00e7ti\u011fini <strong>g\u00f6remezsiniz<\/strong>.<\/li>\n<li>DMARC politikas\u0131n\u0131 <code>p=none<\/code>&#8216;dan <code>p=quarantine<\/code> veya <code>p=reject<\/code>&#8216;e g\u00fcvenle y\u00fckseltemezsiniz.<\/li>\n<\/ul>\n<p>K\u0131sacas\u0131, DMARC raporlar\u0131 <strong>e-posta domain&#8217;inizin radar ekran\u0131d\u0131r<\/strong>.<\/p>\n<h2>\u0130ki Tip DMARC Raporu: Aggregate (RUA) ve Forensic (RUF)<\/h2>\n<h3>1. Aggregate Report (RUA) \u2014 G\u00fcnl\u00fck \u00d6zet<\/h3>\n<p>Aggregate rapor, al\u0131c\u0131 sunucunun belirli bir s\u00fcre (genelde 24 saat) i\u00e7inde sizin domain&#8217;inizden g\u00f6rd\u00fc\u011f\u00fc t\u00fcm e-postalar\u0131n <em>\u00f6zet<\/em> halidir. XML format\u0131nda gelir ve \u015funlar\u0131 i\u00e7erir:<\/p>\n<ul>\n<li><strong>Source IP<\/strong>: hangi IP adresinden e-posta geldi<\/li>\n<li><strong>Message count<\/strong>: o IP&#8217;den ka\u00e7 mesaj geldi<\/li>\n<li><strong>SPF \/ DKIM sonu\u00e7lar\u0131<\/strong>: pass veya fail<\/li>\n<li><strong>Alignment sonucu<\/strong>: domain hizalamas\u0131 ba\u015far\u0131l\u0131 m\u0131<\/li>\n<li><strong>DMARC disposition<\/strong>: al\u0131c\u0131 ne yapt\u0131 (none\/quarantine\/reject)<\/li>\n<\/ul>\n<p>Tipik bir Aggregate XML \u015f\u00f6yle g\u00f6r\u00fcn\u00fcr:<\/p>\n<pre><code>&lt;record&gt;\n  &lt;row&gt;\n    &lt;source_ip&gt;192.0.2.50&lt;\/source_ip&gt;\n    &lt;count&gt;142&lt;\/count&gt;\n    &lt;policy_evaluated&gt;\n      &lt;disposition&gt;none&lt;\/disposition&gt;\n      &lt;dkim&gt;pass&lt;\/dkim&gt;\n      &lt;spf&gt;pass&lt;\/spf&gt;\n    &lt;\/policy_evaluated&gt;\n  &lt;\/row&gt;\n  &lt;identifiers&gt;\n    &lt;header_from&gt;sirketim.com&lt;\/header_from&gt;\n  &lt;\/identifiers&gt;\n  &lt;auth_results&gt;\n    &lt;dkim&gt;\n      &lt;domain&gt;sirketim.com&lt;\/domain&gt;\n      &lt;result&gt;pass&lt;\/result&gt;\n    &lt;\/dkim&gt;\n    &lt;spf&gt;\n      &lt;domain&gt;sirketim.com&lt;\/domain&gt;\n      &lt;result&gt;pass&lt;\/result&gt;\n    &lt;\/spf&gt;\n  &lt;\/auth_results&gt;\n&lt;\/record&gt;<\/code><\/pre>\n<p>Bu kay\u0131t size diyor ki: <em>&#8220;192.0.2.50 IP&#8217;sinden 142 mesaj geldi, hepsi SPF ve DKIM&#8217;den ge\u00e7ti, DMARC sonucu none (politika uygulanmad\u0131), header from sirketim.com idi.&#8221;<\/em><\/p>\n<h3>2. Forensic Report (RUF) \u2014 Tekil Hata Detay\u0131<\/h3>\n<p>Forensic rapor, <strong>DMARC&#8217;tan ba\u015far\u0131s\u0131z olan tekil mesajlar\u0131n<\/strong> daha detayl\u0131 kopyas\u0131d\u0131r. Aggregate gibi \u00f6zet de\u011fil, mesaj\u0131n orijinal ba\u015fl\u0131\u011f\u0131n\u0131 ve g\u00f6vdesini i\u00e7erir.<\/p>\n<p>Yararl\u0131d\u0131r ama dezavantajlar\u0131 vard\u0131r:<\/p>\n<ul>\n<li>KVKK\/GDPR riski (ki\u015fisel veri i\u00e7erir \u2014 al\u0131c\u0131\/g\u00f6nderici adresleri)<\/li>\n<li>\u00c7o\u011fu b\u00fcy\u00fck sa\u011flay\u0131c\u0131 (Gmail dahil) forensic rapor g\u00f6ndermez<\/li>\n<li>Y\u00fcksek hacimde sunucunuza y\u00fck bindirebilir<\/li>\n<\/ul>\n<p>Pratik \u00f6neri: <strong>RUF kullanmay\u0131n, RUA odaklan\u0131n.<\/strong> Aggregate raporlar %95 ihtiyac\u0131n\u0131z\u0131 kar\u015f\u0131lar.<\/p>\n<h2>DMARC Raporlar\u0131n\u0131 Hangi Ara\u00e7larla Okuyabilirim?<\/h2>\n<p>XML manuel okumak pratik de\u011fil. \u015eu \u00fc\u00e7 yakla\u015f\u0131mdan birini se\u00e7in:<\/p>\n<h3>1. SaaS Dashboard&#8217;lar (En Kolay)<\/h3>\n<ul>\n<li><strong>DMARCian<\/strong>: End\u00fcstri standard\u0131. \u00dccretsiz tier var (10K mesaj\/ay).<\/li>\n<li><strong>Postmark DMARC Digests<\/strong>: Tamamen \u00fccretsiz, haftal\u0131k \u00f6zet e-postas\u0131 g\u00f6nderir.<\/li>\n<li><strong>EasyDMARC<\/strong>: T\u00fcrk\u00e7e aray\u00fcz, \u00fccretsiz tier.<\/li>\n<li><strong>Valimail<\/strong>: Kurumsal odakl\u0131, BIMI haz\u0131r.<\/li>\n<\/ul>\n<p>Bu ara\u00e7lara <code>rua=mailto:rapor@aracadres.com<\/code> \u015feklinde adres verilir, raporlar oraya akar ve siz dashboard \u00fczerinden grafik\/tablo format\u0131nda g\u00f6r\u00fcrs\u00fcn\u00fcz.<\/p>\n<h3>2. Self-hosted Parser&#8217;lar<\/h3>\n<ul>\n<li><strong>parsedmarc<\/strong> (Python): a\u00e7\u0131k kaynak, Elasticsearch\/Splunk entegrasyonu<\/li>\n<li><strong>dmarc-srg<\/strong> (PHP): \u00fccretsiz web aray\u00fcz\u00fc<\/li>\n<\/ul>\n<p>Veri sahipli\u011fi \u00f6nemliyse kendi sunucunuzda \u00e7al\u0131\u015ft\u0131r\u0131n. KVKK\/GDPR uyumu i\u00e7in tercih edilir.<\/p>\n<h3>3. Manuel XML \u0130nceleme<\/h3>\n<p>K\u00fc\u00e7\u00fck \u00f6l\u00e7ek i\u00e7in i\u015fe yarar. XML dosyas\u0131n\u0131 a\u00e7\u0131n, source_ip + dkim + spf \u00fc\u00e7l\u00fcs\u00fcn\u00fc taray\u0131n. Pas sonu\u00e7lar normal, ba\u015far\u0131s\u0131zl\u0131klar\u0131 soru\u015fturun.<\/p>\n<h2>Raporlarda Hangi Sinyaller Acil M\u00fcdahale \u0130ster?<\/h2>\n<h3>\ud83d\udd34 Bilinmeyen IP + DMARC fail<\/h3>\n<p>Sizin altyap\u0131n\u0131zda olmayan bir IP&#8217;den, sizin domain&#8217;inizden mesaj geliyorsa ve DMARC&#8217;tan ba\u015far\u0131s\u0131z oluyorsa \u2014 bu <strong>spoofing<\/strong>. Domain&#8217;iniz k\u00f6t\u00fcye kullan\u0131l\u0131yor. <code>p=quarantine<\/code> veya <code>p=reject<\/code>&#8216;e ge\u00e7meden \u00f6nce bu IP&#8217;leri ya whitelist edin ya da kaynaklar\u0131n\u0131 ara\u015ft\u0131r\u0131n.<\/p>\n<h3>\ud83d\udfe1 Bilinen IP + SPF pass + DKIM fail<\/h3>\n<p>Genelde forwarding (e-posta y\u00f6nlendirme) sorunu. Bir kullan\u0131c\u0131n\u0131n mesaj\u0131n\u0131z\u0131 forward etmesi DKIM&#8217;i bozar ama SPF korunur (e\u011fer ARC varsa). Yayg\u0131nd\u0131r, kritik de\u011fildir.<\/p>\n<h3>\ud83d\udfe1 Bilinen IP + alignment fail<\/h3>\n<p>SPF veya DKIM teknik olarak ge\u00e7iyor ama <strong>alignment&#8217;ta<\/strong> ba\u015far\u0131s\u0131z oluyor. Yani d= veya MailFrom domain&#8217;i, From: header&#8217;daki domain ile e\u015fle\u015fmiyor. ESP&#8217;lerde s\u0131k g\u00f6r\u00fcl\u00fcr (\u00f6rne\u011fin SendGrid&#8217;in default config&#8217;i). \u00c7\u00f6z\u00fcm: <a href=\"https:\/\/rbl.watch\/blog\/spf-dkim-dmarc-hizalama-alignment-rehberi\/\" rel=\"nofollow\">domain alignment&#8217;\u0131 d\u00fczeltin<\/a>.<\/p>\n<h3>\ud83d\udfe2 100% pass \u2014 Hedef<\/h3>\n<p>T\u00fcm me\u015fru sunucular\u0131n\u0131z %95+ pass oran\u0131 veriyorsa, <code>p=quarantine<\/code>&#8216;a y\u00fckseltebilirsiniz. %99+ ise <code>p=reject<\/code>&#8216;e ge\u00e7ebilirsiniz.<\/p>\n<h2>\u00d6nerilen DMARC \u0130zleme Workflow&#8217;u<\/h2>\n<ol>\n<li><strong>Hafta 1-2:<\/strong> <code>p=none; rua=mailto:dmarc@sirketim.com;<\/code> yay\u0131nla, raporlar\u0131 topla.<\/li>\n<li><strong>Hafta 3-4:<\/strong> DMARCian benzeri ara\u00e7ta raporlar\u0131 incele, t\u00fcm me\u015fru g\u00f6nderim kaynaklar\u0131n\u0131 listeyile.<\/li>\n<li><strong>Hafta 5-6:<\/strong> Eksik SPF include&#8217;lar\u0131 ve DKIM yap\u0131land\u0131rmalar\u0131 tamamla. T\u00fcm kaynaklar pass alana kadar tekrar et.<\/li>\n<li><strong>Hafta 7+:<\/strong> Pass oran\u0131 %95&#8217;i ge\u00e7ince <code>p=quarantine; pct=25<\/code>&#8216;e ge\u00e7. Yava\u015f yava\u015f <code>pct=100<\/code>&#8216;e \u00e7\u0131kar.<\/li>\n<li><strong>3 ay sonra:<\/strong> <code>p=reject<\/code>&#8216;e ge\u00e7i\u015f. Domain&#8217;iniz art\u0131k spoof edilemez.<\/li>\n<\/ol>\n<h2>S\u0131k\u00e7a Sorulan Sorular<\/h2>\n<h3>DMARC raporu alm\u0131yorum, sorun ne?<\/h3>\n<p>\u0130lk 24-72 saat i\u00e7inde rapor gelmiyorsa: <a href=\"https:\/\/rbl.watch\/tools\/dmarc-check\">DMARC kontrol arac\u0131m\u0131zla<\/a> kayd\u0131n\u0131z\u0131 do\u011frulay\u0131n, <code>rua=<\/code> alan\u0131nda ge\u00e7erli bir e-posta adresi oldu\u011fundan emin olun. Ayr\u0131ca o adresi alan posta sunucusunda DMARC raporlar\u0131n\u0131n spam&#8217;e d\u00fc\u015fmedi\u011fini kontrol edin (raporlar \u00e7o\u011fu zaman generic adresler kullan\u0131r).<\/p>\n<h3>Farkl\u0131 domain&#8217;lere rua= g\u00f6nderebilir miyim?<\/h3>\n<p>Evet, ama <strong>external destination authorization<\/strong> gerekir. E\u011fer <code>rua=mailto:dmarc@baska-sirket.com<\/code> diyorsan\u0131z, baska-sirket.com&#8217;un DNS&#8217;inde <code>sirketim.com._report._dmarc.baska-sirket.com<\/code> kayd\u0131 olmal\u0131 (DNS TXT). DMARCian gibi SaaS&#8217;lar bunu otomatik y\u00f6netir.<\/p>\n<h3>RUA ile RUF aras\u0131ndaki fark nedir?<\/h3>\n<p>RUA g\u00fcnl\u00fck \u00f6zet (aggregate, XML), RUF tekil ba\u015far\u0131s\u0131z mesaj\u0131n detay\u0131 (forensic). Pratikte RUA yeterlidir; \u00e7o\u011fu b\u00fcy\u00fck sa\u011flay\u0131c\u0131 RUF g\u00f6ndermez. KVKK\/GDPR nedeniyle RUF kullan\u0131lmas\u0131 da \u00f6nerilmez.<\/p>\n<h3>DMARC raporlar\u0131n\u0131 e-postayla almak istemiyorum, alternatif?<\/h3>\n<p>RUA adres olarak bir SaaS hizmetinin adresini (\u00f6rn. DMARCian veya EasyDMARC) verin, raporlar oraya akar ve siz dashboard \u00fczerinden grafik halinde g\u00f6r\u00fcrs\u00fcn\u00fcz. Kendi sunucunuza hi\u00e7 ula\u015fmaz.<\/p>\n<h2>Sonu\u00e7<\/h2>\n<p>DMARC raporlar\u0131 ba\u015flang\u0131\u00e7ta karma\u015f\u0131k g\u00f6r\u00fcn\u00fcr, ama sistemli okudu\u011funuzda e-posta altyap\u0131n\u0131z\u0131n tam g\u00f6r\u00fcn\u00fcrl\u00fc\u011f\u00fcn\u00fc kazan\u0131rs\u0131n\u0131z. <a href=\"https:\/\/rbl.watch\/tools\/dmarc-check\">DMARC kay\u0131t kontrol arac\u0131m\u0131zla<\/a> mevcut kayd\u0131n\u0131z\u0131 do\u011frulay\u0131n, bir SaaS dashboard&#8217;a kay\u0131t olun ve <strong>2-3 hafta i\u00e7inde<\/strong> raporlar\u0131 okuma rutinine al\u0131\u015f\u0131n. Sonras\u0131nda <code>p=reject<\/code>&#8216;e g\u00fcvenli ge\u00e7i\u015f hem e-posta teslimat\u0131n\u0131z\u0131 art\u0131racak hem de domain spoofing&#8217;i tamamen engelleyecektir.<\/p>\n<p>E-posta teslimat\u0131n\u0131zda h\u00e2l\u00e2 sorun varsa, sebebin DMARC de\u011fil <a href=\"https:\/\/rbl.watch\/blacklist-check\">IP kara liste<\/a> olabilece\u011fini unutmay\u0131n. Her iki konuyu birlikte izlemek do\u011fru yakla\u015f\u0131md\u0131r.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>DMARC kayd\u0131 yay\u0131nlad\u0131n\u0131z, e-postalar\u0131n\u0131z Gmail&#8217;e ve Outlook&#8217;a g\u00fczelce ula\u015f\u0131yor. Peki ya bilmeden kand\u0131r\u0131lan e-postalar\u0131n\u0131z? Ya da SPF&#8217;ten ge\u00e7mesine ra\u011fmen DMARC&#8217;ta ba\u015far\u0131s\u0131z olan otomatik bildirimleriniz? Bu sorunlar\u0131n tek cevab\u0131 DMARC raporlar\u0131n\u0131 okumakt\u0131r. Bu rehberde DMARC raporlar\u0131n\u0131n iki t\u00fcr\u00fcn\u00fc (Aggregate ve Forensic), XML yap\u0131s\u0131n\u0131, hangi ara\u00e7larla parse edebilece\u011finizi ve hangi sinyallerin acil m\u00fcdahale gerektirdi\u011fini ad\u0131m ad\u0131m anlataca\u011f\u0131z. &#8230; <a title=\"DMARC Raporlar\u0131 Nas\u0131l Okunur? Aggregate ve Forensic Rehberi\" class=\"read-more\" href=\"https:\/\/rbl.watch\/blog\/dmarc-raporlari-nasil-okunur-aggregate-forensic\/\" aria-label=\"Read more about DMARC Raporlar\u0131 Nas\u0131l Okunur? Aggregate ve Forensic Rehberi\">Devam\u0131n\u0131 oku<\/a><\/p>\n","protected":false},"author":2,"featured_media":304,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,6],"tags":[],"class_list":["post-284","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-eposta-guvenligi","category-nasil-yapilir"],"_links":{"self":[{"href":"https:\/\/rbl.watch\/blog\/wp-json\/wp\/v2\/posts\/284","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rbl.watch\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rbl.watch\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rbl.watch\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/rbl.watch\/blog\/wp-json\/wp\/v2\/comments?post=284"}],"version-history":[{"count":1,"href":"https:\/\/rbl.watch\/blog\/wp-json\/wp\/v2\/posts\/284\/revisions"}],"predecessor-version":[{"id":289,"href":"https:\/\/rbl.watch\/blog\/wp-json\/wp\/v2\/posts\/284\/revisions\/289"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rbl.watch\/blog\/wp-json\/wp\/v2\/media\/304"}],"wp:attachment":[{"href":"https:\/\/rbl.watch\/blog\/wp-json\/wp\/v2\/media?parent=284"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rbl.watch\/blog\/wp-json\/wp\/v2\/categories?post=284"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rbl.watch\/blog\/wp-json\/wp\/v2\/tags?post=284"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}