How to Read Your DMARC Reports
Once you publish a DMARC record with a rua address, mailbox providers start emailing you daily aggregate reports. They arrive as XML attachments that look intimidating, but they answer one incredibly useful question: who is sending email as your domain, and is it passing authentication? That's exactly the information you need to safely move from p=none to enforcement.
If you haven't published DMARC yet, start with the DMARC setup guide, then come back here.
What's actually in a report
An aggregate report covers a window (usually a day) from one mailbox provider. For each sending source it tells you, in plain terms:
- The source IP, the server that sent mail claiming to be you.
- A count, how many messages came from that source.
- SPF and DKIM results, whether each passed and, importantly, whether each aligned with your domain.
- The disposition, what the receiver did (none, quarantine, or reject) based on your policy.
The key columns are the alignment results. A source can pass raw SPF or DKIM but still fail DMARC because it isn't aligned to your domain. That gap is usually a legitimate vendor that needs configuring, not an attacker.
Don't read the raw XML by hand
You can open the XML, but it's painful at any real volume. Point your rua address at a DMARC reporting service that aggregates the reports into a readable dashboard, grouping by sender and showing pass rates over time. Several offer a free tier that's plenty for a single domain. This turns a pile of attachments into a clear table.
Sort every sender into one of three buckets
However you read them, your job is to classify each sending source:
- Legitimate and passing. Your mailbox provider and properly configured tools. Nothing to do.
- Legitimate but failing. A real service of yours that isn't aligned, an old marketing tool, a billing system, a form provider. These are your action items: add them to SPF or enable DKIM for them. Fix these while you're still at
p=noneso nothing gets blocked. - Unknown and failing. Sources you don't recognize sending mail as you. This is usually spoofing, and it's exactly what enforcement will stop.
When you're ready to enforce
When the only things still failing are sources you don't recognize, your legitimate mail is fully authenticated and you can raise your policy. Move to p=quarantine, watch the reports for another week or two, then move to p=reject. The reports are how you do this with confidence instead of crossing your fingers.
One practical note: keep reading them after you reach enforcement. A new tool added six months from now will show up here as a failing legitimate sender, and the reports are how you catch it before it causes a delivery problem. If you'd rather not watch them forever, that's what continuous monitoring is for.
Confirm your DMARC policy and alignment are set up correctly.
Check your domain free