Understanding DMARC Reports: A Practical Guide

Gary Hanley
January 21, 2026
7 min read
Understanding DMARC Reports: A Practical Guide
DMARC reports can be overwhelming. This guide breaks down aggregate and forensic reports, helping you understand what they mean and how to act on them.

DMARC reports are the foundation of email authentication monitoring. They provide crucial insights into who is sending email on behalf of your domain, whether those emails are passing authentication checks, and where potential threats or misconfigurations exist. Understanding how to read and act on these reports is essential for maintaining email security.

This comprehensive guide will walk you through everything you need to know about DMARC reports, from basic structure to advanced analysis techniques that can help you identify threats and optimize your email authentication.

The Two Types of DMARC Reports

DMARC actually generates two distinct types of reports, each serving a different purpose in your email security strategy:

Aggregate Reports (RUA)

Frequency: Daily (typically)

Format: XML files

Purpose: High-level statistics about email authentication results

Use Case: Monitoring trends, identifying legitimate sources, spotting authentication issues

Forensic Reports (RUF)

Frequency: Real-time (per failure)

Format: Email message samples

Purpose: Detailed failure information including message headers

Use Case: Investigating specific authentication failures, identifying spoofing attempts

⚠️ Important Note About Forensic Reports

Most major email providers (Gmail, Yahoo, Outlook) no longer send forensic reports due to privacy concerns, as they can contain sensitive email content. Focus your analysis primarily on aggregate reports.

Anatomy of an Aggregate Report

Aggregate reports are XML files that contain structured data about email authentication results. Let's break down the key components:

1. Report Metadata

<report_metadata>
  <org_name>google.com</org_name>
  <email>noreply-dmarc-support@google.com</email>
  <report_id>12345678901234567890</report_id>
  <date_range>
    <begin>1672531200</begin>
    <end>1672617599</end>
  </date_range>
</report_metadata>

This section identifies who sent the report (the receiving mail server organization), when the report covers, and a unique identifier for tracking.

2. Policy Published

<policy_published>
  <domain>yourdomain.com</domain>
  <adkim>r</adkim>
  <aspf>r</aspf>
  <p>quarantine</p>
  <sp>quarantine</sp>
  <pct>100</pct>
</policy_published>

This shows the DMARC policy that was in effect during the reporting period. Key fields:

  • p: Policy for the domain (none, quarantine, or reject)
  • sp: Policy for subdomains
  • adkim: DKIM alignment mode (r=relaxed, s=strict)
  • aspf: SPF alignment mode (r=relaxed, s=strict)
  • pct: Percentage of email to which policy applies

3. Record Entries (The Important Part)

<record>
  <row>
    <source_ip>209.85.220.69</source_ip>
    <count>1547</count>
    <policy_evaluated>
      <disposition>none</disposition>
      <dkim>pass</dkim>
      <spf>pass</spf>
    </policy_evaluated>
  </row>
  <identifiers>
    <header_from>yourdomain.com</header_from>
  </identifiers>
  <auth_results>
    <dkim>
      <domain>yourdomain.com</domain>
      <result>pass</result>
    </dkim>
    <spf>
      <domain>yourdomain.com</domain>
      <result>pass</result>
    </spf>
  </auth_results>
</record>

Each record entry represents a unique combination of sending IP, authentication results, and volume. This is where the actionable intelligence lives.

Reading and Interpreting Report Data

Understanding what the numbers mean is critical for making informed decisions about your email security posture.

Authentication Results Matrix

SPF DKIM DMARC Result Action Required
✓ Pass ✓ Pass PASS None - Excellent!
✓ Pass ✗ Fail PASS Consider fixing DKIM
✗ Fail ✓ Pass PASS Consider fixing SPF
✗ Fail ✗ Fail FAIL Immediate action needed!

💡 Key Insight: Only One Needs to Pass

DMARC passes if either SPF or DKIM passes and aligns with the From: domain. You don't need both to pass, though having both pass provides redundancy.

Common Scenarios and What They Mean

Scenario 1: High Volume, All Passing

Source IP: 209.85.220.69 | Count: 15,000 | SPF: Pass | DKIM: Pass

Meaning: This is a legitimate, properly configured email source (likely your primary email service).

Action: No action needed. Monitor for consistency.

Scenario 2: Low Volume, Failing Both

Source IP: 185.220.101.45 | Count: 3 | SPF: Fail | DKIM: Fail

Meaning: Likely spoofing or phishing attempt.

Action: Investigate the source IP. If confirmed malicious, this validates your DMARC policy.

Scenario 3: Medium Volume, SPF Fail, DKIM Pass

Source IP: 192.0.2.15 | Count: 500 | SPF: Fail | DKIM: Pass

Meaning: Likely a legitimate third-party service (marketing platform, CRM) that's not in your SPF record but has DKIM configured.

Action: Identify the service and add their IP or include mechanism to your SPF record for better authentication.

Scenario 4: High Volume, SPF Pass, DKIM Fail

Source IP: 198.2.128.1 | Count: 2,000 | SPF: Pass | DKIM: Fail

Meaning: Your email service is in SPF but DKIM signing isn't working properly.

Action: Check DKIM configuration. Verify DNS records and ensure signing is enabled on the sending service.

Advanced Analysis Techniques

1. Identify Unknown Senders

Look for source IPs you don't recognize with significant volume. Use reverse DNS lookup and WHOIS to identify:

  • Company-owned mail servers you forgot about
  • Third-party services sending on your behalf (marketing, HR systems, etc.)
  • Forwarding services that break SPF
  • Potential spoofing attempts

2. Track Volume Trends Over Time

Monitor how volume changes for each source:

  • Gradual increase: Normal business growth
  • Sudden spike: Marketing campaign, system change, or potential attack
  • Gradual decrease: Service migration or reduced usage
  • Intermittent volume: Scheduled jobs, newsletter campaigns

3. Calculate Pass Rates

Overall Pass Rate = (Total Passing Messages / Total Messages) × 100

Per-Source Pass Rate = (Passing Count for IP / Total Count for IP) × 100

Target metrics:

  • 90%+ pass rate: Excellent - ready for enforcement
  • 70-90% pass rate: Good, but investigate failures before quarantine
  • Below 70%: Significant issues - stay in monitoring mode

4. Identify Alignment Issues

Pay attention to the difference between authentication results and alignment:

SPF Pass but DMARC Fail: SPF authenticated but the domain doesn't align with the From: header. Common with forwarding services.

DKIM Pass but DMARC Fail: DKIM signature is valid but signed by a different domain. Check for third-party services using their own domain in signatures.

Tools for DMARC Report Analysis

Manually parsing XML files is tedious and error-prone. Use specialized tools for efficient analysis:

DMARC Busta

Automated report parsing, visual dashboards, trend analysis, and AI-powered source recommendations.

Recommended

Postmark DMARC

Free tool for small businesses. Clean interface, basic reporting, good for getting started.

Free Tier

dmarcian

Enterprise-grade platform with advanced threat intelligence and white-glove support.

Enterprise

EasyDMARC

User-friendly interface with automated policy recommendations and compliance tracking.

SMB Focused

Report Analysis Workflow

Establish a regular cadence for reviewing reports. Here's a recommended workflow:

1

Daily: Quick Health Check (5 minutes)

Review overall pass rate and total volume. Look for anomalies or sudden spikes.

2

Weekly: Source Analysis (30 minutes)

Identify new sources, investigate failures, update SPF/DKIM for legitimate senders.

3

Monthly: Trend Review (1-2 hours)

Analyze trends, calculate pass rates by source, review policy effectiveness, plan next steps.

4

Quarterly: Strategic Review (Half day)

Assess overall email authentication posture, evaluate policy progression readiness, audit third-party services.

Common Pitfalls to Avoid

❌ Ignoring Low-Volume Sources

Even a single legitimate email blocked can cause business impact. Investigate all sources, regardless of volume.

❌ Progressing Policy Too Quickly

Wait at least 2-4 weeks in monitoring mode to capture all email sources, including monthly reports and scheduled jobs.

❌ Not Documenting Sources

Keep a registry of identified sources with business context. Six months later, you won't remember what 192.0.2.45 is.

❌ Assuming All Failures Are Attacks

Many failures are forwarded emails or misconfigured third-party services, not malicious activity.

Conclusion

DMARC reports are your window into email authentication for your domain. By understanding how to read and interpret these reports, you can:

  • Identify all legitimate email sources and ensure they're properly authenticated
  • Detect potential spoofing and phishing attempts before they damage your reputation
  • Make informed decisions about policy progression from monitoring to enforcement
  • Optimize your email authentication configuration for maximum deliverability

The key is consistency. Set up a regular review process, use tools to automate analysis where possible, and always investigate before blocking. With proper report analysis, DMARC becomes a powerful shield protecting your domain's email reputation.

Ready to Automate Your DMARC Report Analysis?

DMARC Busta automatically parses reports, identifies sources, and provides AI-powered recommendations for optimal email security.

Start Free Trial
#dmarc #reports #analysis #monitoring

Share this article

Twitter LinkedIn

Related Articles

Put Your Email Security on Autopilot

Let AI handle DMARC compliance while you focus on your business.

Start Free Trial Learn About Autopilot