What you'll learn
- • The two types of DMARC reports and their purposes
- • How to read aggregate (RUA) reports and what the data means
- • Understanding forensic (RUF) reports for individual failures
- • How to identify legitimate vs unauthorized email sources
- • Taking action based on report findings
Types of DMARC Reports
DMARC provides two types of reports that help you monitor email authentication for your domain. Understanding both types is crucial for effective email security management.
Aggregate Reports (RUA)
- • Sent daily by email receivers
- • Show authentication results in bulk
- • Include IP addresses and volume
- • XML format (typically gzipped)
- • Best for monitoring trends
Forensic Reports (RUF)
- • Sent immediately on failure
- • Contain individual email samples
- • Include headers and metadata
- • Less commonly supported
- • Best for investigating issues
Reading Aggregate Reports (RUA)
Aggregate reports are XML files sent by email receivers (Gmail, Outlook, etc.) that summarize authentication results for emails claiming to be from your domain.
Key Components of RUA Reports
1. Report Metadata
Organization: Who sent the report (e.g., google.com, outlook.com)
Date Range: Time period covered by the report
Report ID: Unique identifier for this report
2. Policy Published
Shows your current DMARC policy as seen by the receiver:
Domain: Your domain being reported on
Policy (p): none, quarantine, or reject
Subdomain Policy (sp): Policy for subdomains
Percentage (pct): % of emails the policy applies to
Alignment: SPF and DKIM alignment mode (relaxed or strict)
3. Records (The Important Part)
Each record represents a group of emails from the same source:
Source IP Address
The server that sent emails claiming to be from your domain
Count
Number of emails from this source during the reporting period
Disposition
What the receiver did: none, quarantine, or reject
DKIM Result
pass or fail
SPF Result
pass or fail
Header From
The domain shown in the "From" header (what users see)
Interpreting Results
The most important thing to understand: DMARC passes if either SPF or DKIM passes AND aligns with your domain.
DMARC Pass
SPF or DKIM passed and aligned with your domain. This is legitimate email and no action needed.
DMARC Fail
Both SPF and DKIM failed or didn't align. Could be unauthorized sending or misconfiguration.
Common Scenarios
Scenario 1: Everything Passing
Source IP: 209.85.128.24 (Google)
Count: 1,247
SPF: pass, DKIM: pass
DMARC: pass
Interpretation: This is legitimate email sent through Google. No action needed.
Scenario 2: Legitimate but Misconfigured
Source IP: 192.0.2.45 (Your CRM)
Count: 89
SPF: fail, DKIM: none
DMARC: fail
Interpretation: This is likely your CRM or marketing platform, but it's not properly configured. You need to add this IP to your SPF record or configure DKIM signing.
Scenario 3: Potential Spoofing
Source IP: 198.51.100.123 (Unknown)
Count: 12
SPF: fail, DKIM: fail
DMARC: fail
Interpretation: Unknown IP sending low volume of email that fails all checks. This could be a spoofing attempt. Investigate the IP using WHOIS lookups and consider moving to a stricter DMARC policy.
Taking Action on Reports
Use your DMARC reports to gradually tighten your email security without breaking legitimate email.
Weekly Report Review Checklist
Identify all email sources
List all unique IP addresses sending email from your domain
Verify legitimacy
Cross-reference IPs with your email services (ESP, CRM, ticketing, etc.)
Fix failing legitimate sources
Update SPF records or enable DKIM for services that should pass but don't
Investigate unknowns
Use IP WHOIS lookup, reverse DNS, and search engines to identify unknown sources
Progress your policy
Once everything legitimate passes, move from p=none → p=quarantine → p=reject
Tools for Analyzing Reports
While you can manually parse XML reports, these tools make the process much easier:
Free Services
- • Postmark DMARC Digests
- • DMARC Analyzer (limited free tier)
- • dmarcian (limited free tier)
Self-Hosted Solutions
- • Parsedmarc - Open source Python tool
- • DMARC Visualizer - Self-hosted dashboard
Forensic Reports (RUF)
Forensic reports provide samples of individual emails that failed DMARC. However, most major receivers (Gmail, Outlook) don't send these due to privacy concerns.
Limited Support
Don't rely on forensic reports for monitoring. Aggregate reports are much more reliable and widely supported. Use forensic reports only as supplementary investigation tools.
Ready to Set Up DMARC Reporting?
Check your current configuration and generate proper DMARC records with reporting enabled.