How to read a DMARC aggregate report

DMARC aggregate reports are XML files sent daily by email providers (Google, Microsoft, Yahoo, etc.) telling you who sent email as your domain and whether it passed authentication. dmarco parses and displays these automatically — here's how to read the data.

Report-level information

• Reporting organization — who generated the report (e.g., google.com). This is the receiver that checked your emails.
• Date range — the period covered, usually 24 hours
• Your domain — the domain being evaluated

Records (rows in the report)

Each record represents a group of emails from the same source IP with the same authentication results:

• Source IP — the server that sent the email. Known IPs are your legitimate mail servers. Unknown IPs may be spoofing or misconfigured services.
• Message count — how many emails this row represents. A count of 500 is more significant than a count of 1.
• SPF result — did the sending server pass SPF? (pass, fail, none)
• DKIM result — did the email have a valid DKIM signature? (pass, fail, none)
• Disposition — what the receiver did: none (delivered), quarantine (spam), reject (blocked)

What to look for

Pass rate

The percentage of messages that fully passed DMARC. Your goal is 99%+. Anything below that means some mail is failing authentication.

Unknown senders

IPs that don't match any known sender in the sender library. These need investigation — they could be legitimate services you haven't configured, or unauthorized senders.

Failure patterns

• SPF_FAIL — the sending server isn't in your SPF record. Either add it or confirm it's unauthorized.
• DKIM_FAIL — the DKIM signature is invalid or missing. The sender may need DKIM configuration.
• SPF_PASS_DMARC_FAIL — SPF passed but the domain doesn't align with the From header. Common with third-party senders.
• DKIM_PASS_NOT_ALIGNED — DKIM passed but signed with a different domain. Common with services that sign with their own domain instead of yours.