DMARC reports are one of the most valuable features of DMARC. They show you exactly who is sending email as your domain and whether authentication is passing. This guide explains how to read and use DMARC reports.
Types of DMARC Reports
Aggregate Reports (RUA)
- Daily XML summaries from receiving servers
- Show authentication results for all email from your domain
- Include source IP, volume, and pass/fail status
- Essential for monitoring and enforcement decisions
Forensic Reports (RUF)
- Individual failure notifications
- Contain message details (headers, sometimes body)
- Sent in real-time when failures occur
- Many providers don't send these due to privacy
Setting Up Report Delivery
In your DMARC record:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensics@yourdomain.com
-
rua=– Address for aggregate reports -
ruf=– Address for forensic reports (optional)
Understanding Aggregate Reports
Aggregate reports are XML files containing:
Report Metadata
- Reporting organization (who sent the report)
- Date range covered
- Your DMARC policy
Policy Published
- Your current DMARC settings
- Policy level (none/quarantine/reject)
- Alignment modes
Record Data (per source IP)
- Source IP address
- Count of messages
- DMARC disposition (none/quarantine/reject)
- SPF result and alignment
- DKIM result and alignment
Reading Report Data
What to Look For
Legitimate Sources Passing: Your known services should show:
- DMARC: pass
- SPF: pass + aligned
- DKIM: pass + aligned
Legitimate Sources Failing: Known services failing need fixes:
- Missing from SPF record
- DKIM not configured
- Alignment issues
Unknown Sources:
- Could be forgotten services
- Could be unauthorized senders (spoofing attempts)
- Investigate before enforcement
Processing Reports
Raw XML is hard to read. Options:
Free Services
- Postmark DMARC – Free weekly digests
- dmarcian – Free tier available
- DMARC Analyzer – Free for low volumes
Paid Services
- EasyDMARC
- Valimail
- Agari
- Red Sift OnDMARC
These services parse reports into readable dashboards showing trends, issues, and recommendations.
Using Reports for Enforcement
Before Enforcement (p=none)
- Collect reports for 2-4 weeks minimum
- Identify all legitimate sending sources
- Fix any authentication failures
- Confirm all sources pass consistently
During Enforcement
- Monitor for new failures
- Watch for legitimate services breaking
- Identify spoofing attempts (expect failures from unknown IPs)
After Full Enforcement (p=reject)
- Continue monitoring for new services
- Review monthly for changes
- Update when adding new email tools
Common Report Patterns
Pattern: High Volume from Unknown IP
Could be: Forgotten marketing service, forwarding, or spoofing
Action: Identify the IP owner, add to SPF if legitimate, or leave to fail if not
Pattern: SPF Pass, DKIM Fail, DMARC Pass
DKIM isn't critical if SPF passes and aligns. But configure DKIM for redundancy.
Pattern: SPF Fail, DKIM Pass, DMARC Pass
Common with forwarding. DKIM saves these. Still, fix SPF issues.
Pattern: Everything Fails
Either a misconfigured service or spoofing attempt. Investigate the source.
For implementation guidance, see our DMARC setup guide.
0 comments