Understanding DMARC Reports
Make sense of aggregate reports and identify authentication issues.
DMARC aggregate reports (RUA) are XML files sent by receiving mail servers. They show who's sending email as your domain and whether authentication passed.
Report Structure
<?xml version="1.0" encoding="UTF-8"?>
<feedback>
<report_metadata>
<org_name>google.com</org_name>
<email>noreply-dmarc-support@google.com</email>
<report_id>1234567890</report_id>
<date_range>
<begin>1704067200</begin> <!-- Unix timestamp -->
<end>1704153599</end>
</date_range>
</report_metadata>
<policy_published>
<domain>example.com</domain>
<adkim>r</adkim> <!-- DKIM alignment mode -->
<aspf>r</aspf> <!-- SPF alignment mode -->
<p>reject</p> <!-- Domain policy -->
<sp>reject</sp> <!-- Subdomain policy -->
<pct>100</pct> <!-- Policy percentage -->
</policy_published>
<record>
<row>
<source_ip>203.0.113.50</source_ip>
<count>1234</count> <!-- Number of messages -->
<policy_evaluated>
<disposition>none</disposition> <!-- What happened -->
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>example.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>example.com</domain>
<result>pass</result>
<selector>google</selector>
</dkim>
<spf>
<domain>example.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
</feedback>Key Fields Explained
| Field | Meaning |
|---|---|
| source_ip | IP address that sent the emails |
| count | Number of messages from this IP |
| disposition | Action taken: none, quarantine, or reject |
| dkim (policy_evaluated) | DKIM alignment result: pass or fail |
| spf (policy_evaluated) | SPF alignment result: pass or fail |
| auth_results | Raw authentication results (before alignment check) |
Common Report Scenarios
All Pass
SPF pass + DKIM pass + alignment = Fully authenticated. This is your goal.
SPF Pass, DKIM Fail
Common with forwarded email or mailing lists that modify headers. Check if source IP is legitimate.
DKIM Pass, SPF Fail
Sending server not in SPF record but has valid DKIM. Add the IP to SPF or accept DKIM-only auth.
Both Fail
Either a spoofing attempt or a misconfigured legitimate sender. Investigate the source IP carefully.
Identifying the Sender
When you see an unknown IP in reports, use these techniques to identify it:
- Reverse DNS lookup —
dig -x 203.0.113.50 - WHOIS lookup — Find the IP owner
- Check against known services — Google, Microsoft, AWS IP ranges
- Ask your team — Someone might be using a service you don't know about
Aggregate vs Forensic Reports
| Aspect | Aggregate (RUA) | Forensic (RUF) |
|---|---|---|
| Frequency | Daily (usually) | Per-message |
| Content | Summarized statistics | Full message samples |
| Privacy | No PII | May contain PII |
| Support | Widely supported | Limited (privacy concerns) |
Report Volume
For active domains, expect reports from:
- Google — One consolidated daily report
- Microsoft — One daily report per organization receiving your mail
- Yahoo — Daily reports
- Other providers — Varies widely
High-volume senders may receive hundreds of reports daily, making manual analysis impractical.
Let MimeProtect Handle Your Reports
Raw DMARC XML reports are difficult to read and analyze. MimeProtect automatically ingests your reports, parses them, and presents actionable insights in an easy-to-understand dashboard.
Start Free Trial