Email Authentication Guide

How to Read DMARC Reports

DMARC aggregate reports are XML files that tell you exactly who is sending email as your domain. Here is how to read them, what to look for, and when to act on what you find.

Report Types: RUA vs. RUF

DMARC produces two types of reports, and understanding the difference matters for how you approach monitoring:

Aggregate Reports (RUA)

XML files sent daily by receivers summarizing all messages evaluated against your DMARC policy. They show volume, pass/fail rates, source IPs, and what policy was applied. This is the primary data source for DMARC monitoring.

Forensic Reports (RUF)

Per-message failure reports sent in near real-time when a message fails DMARC. They include message headers and sometimes partial body content. Useful for debugging, but many receivers do not send them due to privacy concerns.

Most DMARC monitoring focuses on aggregate reports because they provide the broadest picture of your sending ecosystem. Forensic reports are a supplement, not a replacement.

Anatomy of an Aggregate Report

Aggregate reports arrive as gzipped or zipped XML files attached to emails sent to your RUA address. Here is a simplified example showing the structure you will see in every report:

<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>[email protected]</email>
    <date_range>
      <begin>1712534400</begin>
      <end>1712620800</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>example.com</domain>
    <p>none</p>
    <sp>none</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>198.51.100.25</source_ip>
      <count>1542</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>example.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>example.com</domain>
        <result>pass</result>
      </dkim>
      <spf>
        <domain>example.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
</feedback>

Here is what each section tells you:

report_metadata — Who sent this report (the receiving organization) and the time range it covers. The timestamps are Unix epoch format.
policy_published — Your DMARC policy as seen by the receiver at the time they processed the messages. If you recently changed your policy, older reports may still reflect the previous one.
source_ip — The IP address of the server that sent the messages. This is what you use to identify the sending service.
count — How many messages came from this source IP during the reporting period. In this example, 1,542 messages were sent from 198.51.100.25 as example.com.
disposition — What the receiver actually did with the messages: none (delivered normally), quarantine (sent to spam), or reject (blocked).
dkim and spf — Whether each authentication mechanism passed or failed. The policy_evaluated section shows the DMARC-level result (after alignment), while auth_results shows the raw authentication results.

Fields That Matter Most

When you are reviewing reports, focus on these five data points:

source_ip

Run a reverse DNS lookup on each source IP to identify the sending service. An IP resolving to mail-sor-f25.google.com is Google Workspace. An IP resolving to o1.sendgrid.net is SendGrid. An IP with no reverse DNS or resolving to a hosting provider you do not recognize needs investigation.

count

High message counts from unknown IPs are red flags. If an IP you do not recognize sent 10,000 messages as your domain in a single day, that is either a misconfigured service or active spoofing.

disposition

This shows what actually happened to the messages. If your policy is p=none and you see disposition: none for everything, that is expected—no messages are being blocked yet. Once you move to enforcement, watch for legitimate senders showing quarantine or reject dispositions.

DKIM and SPF results

Check both the policy_evaluated results (DMARC-level, after alignment) and the raw auth_results. A service might pass raw SPF but fail DMARC because the SPF domain does not align with the From header domain.

Alignment

This is the most important concept in DMARC. SPF or DKIM must not just pass—they must pass for your exact domain (strict alignment) or a subdomain of your domain (relaxed alignment). A message sent via a third-party service might pass SPF for the service's domain, but that does not help your DMARC result unless the service is configured to align with your domain.

How to Identify Legitimate Senders

The primary goal of reading DMARC reports is building a complete inventory of everything that sends email as your domain. Here is the process:

Collect 1–2 weeks of reports. A single day is not enough. Some services send infrequently—weekly digests, monthly invoices, triggered notifications. You need enough time for them all to appear.
Group by source IP. Aggregate all reports and extract unique source IPs with their message counts and authentication results.
Reverse DNS each IP. This identifies the sending service. Google Workspace, SendGrid, Mailchimp, HubSpot, Amazon SES, Postmark—they all have recognizable reverse DNS patterns.
Cross-reference with your known sending services. Compare the list against what your IT, marketing, sales, and support teams know about. Every service should be accounted for.
Investigate unknowns. Any IP you cannot identify is either shadow IT (a team using a service without IT's knowledge), a misconfigured service, or unauthorized sending. Contact internal teams before assuming the worst.

Tip: Use your DMARC checker to verify that your DMARC record is correctly configured with a valid RUA address before starting this process.

How to Spot Abuse or Misalignment

Not everything in your reports is benign. Watch for these warning signs:

•High volume from IPs you do not recognize. If an IP sent thousands of messages as your domain and you cannot identify it through reverse DNS, it is likely spoofing or a compromised service.
•SPF or DKIM failing consistently from a known service. This is a misconfiguration, not an attack. Common causes: you forgot to add the service's include to your SPF record, or the service is not signing with DKIM for your domain.
•Messages passing SPF but failing DKIM (or vice versa). This is partial alignment. It might be enough for DMARC to pass (only one mechanism needs to align), but it is fragile. If the passing mechanism breaks, DMARC will fail entirely.
•Disposition showing "none" for messages you would want quarantined. This means your policy is too loose. If you see spoofing attempts being delivered normally because your policy is p=none, that is a clear signal to start planning your move to enforcement.

When to Move Toward Enforcement

Reading reports is not an end in itself—the goal is to reach a point where you can safely enforce your DMARC policy. You are ready when:

You have identified all legitimate senders and they all pass DMARC alignment. No known service should be failing.
You have fixed misconfigurations. Missing SPF includes have been added. DKIM signing has been enabled for services that support it. Alignment issues have been resolved with vendors.
You understand the volume and sources of unauthorized mail. You know what spoofing looks like for your domain and you are ready to block it.
You have tested with a low percentage. Set your policy to p=quarantine; pct=10 and monitor for a week. If no legitimate mail is affected, increase gradually.

Do not skip the pct ramp. Even if your reports look clean, start enforcement at a low percentage. Some sending patterns only appear during specific business events—quarterly billing runs, annual renewal campaigns, seasonal marketing—and may not show up in a 2-week monitoring window.

Reading Reports at Scale

Manual XML parsing works for a single domain with low email volume. You can use command-line tools like xmllint or simple scripts to extract the data you need.

Beyond that, a monitoring platform automates report collection, sender identification, and trend tracking. The value is not just visualization—it is the historical record that lets you confidently tighten policy over weeks. A platform shows you whether a sender that appears today was also present last month, or whether it is new and needs investigation.

For organizations managing multiple domains or operating as an MSP, manual parsing is not feasible. You need automated ingestion that handles decompression, XML parsing, IP resolution, and sender classification across all your domains simultaneously. The alternative is spreadsheets and guesswork, which is how legitimate mail gets blocked during enforcement rollouts.

Frequently Asked Questions

How often are DMARC aggregate reports sent?

Most receivers send them once per day, typically covering a 24-hour UTC window. The frequency is not guaranteed by the specification, but Google, Microsoft, and Yahoo are reliable daily senders. Smaller receivers may batch less frequently or not send reports at all.

Why am I not receiving DMARC reports?

Check three things: First, verify that your DMARC record includes a rua= tag with a valid mailto: address. Use the DMARC checker to verify. Second, check that the receiving mailbox is not filtering report emails as spam. Third, if your RUA address is on a different domain than the one being monitored, you need a DNS authorization record on the receiving domain (an _dmarc-report TXT record).

What is DMARC alignment?

Alignment means the domain in the From header matches the domain that passed SPF or DKIM. If your From header says [email protected] but SPF passes for bounce.thirdparty.com, that SPF pass does not count for DMARC. The authentication must align with your domain. This is the mechanism that prevents attackers from using their own authenticated infrastructure to spoof your From address.

Should I worry about forensic reports (RUF)?

They are useful for debugging specific authentication failures—you get the actual message headers that caused the failure, which helps pinpoint misconfigurations. But they are not essential for monitoring. Many major receivers (including Gmail) do not send forensic reports due to privacy concerns. Treat them as supplementary data when available.

Can I get DMARC reports without setting up monitoring?

Yes. Set rua=mailto:[email protected] in your DMARC record and you will receive raw XML files as email attachments. You can open them in a text editor or parse them with scripts. But at any meaningful volume, this gets impractical fast—a busy domain generates hundreds of reports per day, each containing multiple record entries.

What do I do if I see failing senders I do not recognize?

First, run a reverse DNS lookup on the source IP. If it resolves to a known email service (SendGrid, Mailchimp, Amazon SES, etc.), someone in your organization is likely using that service without IT's knowledge. Reach out internally before assuming it is malicious. If the IP resolves to a generic hosting provider or has no reverse DNS, it is likely spoofing—and a strong signal that you need to move toward enforcement.

Stop Parsing XML Manually

SpoofSentry collects, parses, and visualizes your DMARC reports automatically. Start monitoring for free.

Start Free Monitoring