How to Read DMARC Reports: Types, Tools, and Tips

Phishing is behind 90% of cyberattacks, making it critical for you and your team to understand how to read DMARC reports to safeguard your data and reputation.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) reports provide detailed insights into how your emails are authenticated, helping you maintain a close eye on your email security. By confirming that emails truly come from trusted sources, DMARC plays a key role in blocking phishing and spoofing attempts that could damage your brand and put your customers at risk.

This blog will walk you through how to read DMARC reports and explain how using the right tools can make this process easier, helping you protect your domain and strengthen your email security with confidence.

What is a DMARC Report?

DMARC reports are diagnostic reports generated by receiving mail servers that show you how your emails are authenticated across the internet. They provide clear visibility into email behavior and mail flows, including SPF and DKIM authentication results for messages sent from a DMARC-enabled domain.

These reports are based on two key technologies:

• SPF (Sender Policy Framework) verifies if an email is sent from an authorized server.
• DKIM (DomainKeys Identified Mail) checks if the email’s content has been altered in transit.

Together, these checks show whether your emails are genuine or potentially fraudulent.

How to Enable DMARC Reports (Step-by-Step)

Before you can read DMARC reports, you need to set up a a DMARC record that tells mailbox providers where to send your reports.

Step 1: Publish a DMARC record

Create a DNS TXT record for: _dmarc.yourdomain.com

Start with monitoring mode: v=DMARC1; p=none; rua=mailto:[email protected];

Step 2: Add report destinations (rua first)

• rua (Aggregate reports): This is the primary DMARC reporting channel and the one most organizations rely on.
• ruf (Forensic reports): Optional. Support varies by provider and it can raise privacy concerns, so many organizations skip it or use it cautiously. 

Example with both (only if you intend to use forensic reporting):

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected];

Step 3: Decide how you’ll receive reports

You have two practical options:

• Dedicated mailbox: Useful for testing, but raw reports arrive as XML attachments and become hard to manage at scale.
• DMARC reporting tool: Recommended for ongoing monitoring, filtering, and actionable dashboards.

Step 4: Confirm reports are arriving

Aggregate reports often start showing up within 24–48 hours, depending on DNS propagation and mailbox provider reporting cycles. If nothing arrives, validate:

• the DMARC record is published correctly,
• the destination mailbox/service can receive messages,
• and your domain is actively sending email.

Once you’ve enabled reports, you can read it. 

How to Read DMARC Reports

DMARC reports usually come in XML format attached to emails with subjects like “DMARC Report.” While raw reports aren’t easy to read directly, understanding their structure helps you extract valuable insights. 

You may also find resources like PowerDMARC’s knowledge base helpful for learning how to set up and interpret your reports. 

Here’s how to read DMARC reports:

Understand the DMARC XML format

A typical DMARC XML report includes these key sections:

• Source IP: The IP address of the sending server
• Policy evaluated: The action taken based on your DMARC policy
• SPF and DKIM results: Whether each check passed or failed
• Domain details: The domain names involved in sending and authentication

Decode the key elements in a raw report

Focus on these critical fields when reviewing a report:

• source_ip: Where the email originated
• policy_evaluated: What your DMARC policy decided (e.g., none, quarantine, reject)
• spf and dkim: Results showing pass or fail. A pass means the email met the authentication standards, while a fail indicates issues that could point to spoofing or misconfiguration

Expect practical challenges with raw reports

When working directly with XML files, a few obstacles are common:

• Reports may arrive compressed (.zip or .gz)
• High-volume domains can generate very large files
• You’ll often receive multiple reports from different providers covering the same day

This is why most teams move away from manual inspection once reporting volume increases.

Identify issues from the data (SPF, DKIM, Alignment)

Look out for these wasimply because SPF or DKIM wasn’t set up correctly. Marketing tools, CRM systems, newsletter platforms, and helpdesk tools must be added to your SPF record or configured with their DKIM keys to pass DMARC consistently. These failures are especially common after a new tool rollout, a domain change, or a vendor-side sending update.

Warning signs:

• Failures in SPF or DKIM checks
• Alignment problems where the sending domain doesn’t match the authenticated domain
• Suspicious sending IPs that don’t belong to your known mail sources

These flags could signal attempts to impersonate your domain.

Simplify DMARC Reporting with PowerDMARC!

Types of DMARC Reports

DMARC reporting is mainly delivered through two report types: Aggregate (RUA) and Forensic (RUF). Both serve different purposes, and most organizations rely primarily on aggregate reports for continuous monitoring

1. DMARC Aggregate Reports (RUA)

DMARC aggregate reports provide an overview of the DMARC analytics and activity for a domain. They include:

• Information pertaining to the number of messages that passed or failed DMARC authentication
• The IP addresses of the sending mail servers
• The authentication statuses of the mechanisms used to verify the email message

This information helps you gain awareness of spammers and unauthorized third-party services wrongly using your domain name.

To make interpreting these reports even easier, PowerDMARC Aggregate report views are more readable and understandable, as they are simplified and organized into charts and tables with advanced viewing and filtering options. To enable our human-readable aggregate reports, contact us today!

2. DMARC Forensic Reports (RUF)

DMARC forensic reports, also known as failure reports, provide detailed information about individual email messages that failed DMARC authentication. In some cases, Forensic DMARC reports may include:

• The entire email message
• The authentication status
• The reason for the failure of the unauthorized message

Failure reports in DMARC are particularly useful when investigating specific forensic incidents, such as potential email fraud, domain name abuse, and impersonation.

Failure reports may sometimes contain sensitive information, raising privacy concerns if an attacker gains access to them. This has led PowerDMARC to facilitate PGP encryption on these reports, ensuring that only you have access to the sensitive content.

DMARC Report Fields Explained

DMARC aggregate (RUA) reports usually arrive in XML format and contain multiple “records.” Each record represents email activity from a specific sending source (typically an IP address) and shows how that source performed against your DMARC policy. Once you know what the key fields mean, it becomes much easier to identify legitimate senders, spot unauthorized usage, and fix SPF/DKIM alignment issues.

Key DMARC fields you’ll see in aggregate (RUA) reports

How these fields work together

A common mistake is to treat DMARC as a simple “SPF pass/DKIM pass” check. DMARC also verifies whether SPF or DKIM aligns with the domain in header_from. That is why you may see SPF or DKIM showing “pass,” but DMARC still failing for that record.

Use these combinations to interpret records quickly:

• DMARC pass: SPF or DKIM passes and aligns with header_from
• DMARC fail: Neither SPF nor DKIM achieves alignment with header_from
• SPF pass but DMARC fail: SPF may pass, but the envelope_from domain does not align with header_from
• DKIM pass but DMARC fail: DKIM may pass, but the dkim_domain does not align with header_from
• High volume from an unknown source_ip: Often indicates an unauthorized sender, an overlooked system, or a misconfigured third-party service

Once you understand these fields, reading DMARC reports becomes much more practical. The next step is to review records in priority order, starting with the sources generating the highest volume or highest failure rates.

Common Issues Found in DMARC Reports

DMARC aggregate reports often reveal problems that affect authentication, domain security, and email deliverability. These are the issues you’re most likely to encounter and what they mean.

• Failing SPF or DKIM alignment: This happens when emails pass SPF or DKIM, but the domains used don’t align with the domain recipients see in the “From” header. Misalignment causes DMARC to fail even if the underlying authentication checks succeed. In most cases, the fix is to configure your sending services so the Return-Path (SPF identity) and/or DKIM signing domain aligns with the From domain, then confirm the change through your next round of aggregate reports.
• Unauthorized sending sources: DMARC reports may show servers sending emails on your behalf without permission. These could be old systems, misconfigured third-party services, or malicious actors. Identifying and removing unauthorized senders is crucial to protecting your domain from spoofing.
• Misconfigured email services (marketing platforms, CRMs, ticketing tools, etc.): Often, legitimate services fail authentication simply because SPF or DKIM wasn’t set up correctly. Marketing tools, CRM systems, newsletter platforms, and helpdesk tools must be added to your SPF record or configured with their DKIM keys to pass DMARC consistently.
• High failure rates and what they indicate: A large percentage of failed emails in your DMARC reports signals significant issues; this could point to impersonation attempts, misalignment, or important senders that aren’t authenticated. High failure rates require immediate attention to prevent deliverability loss and potential abuse of your domain.

Best Practices for Managing DMARC Reports

The pro tip is to automate your DMARC report analysis to save time and avoid manual errors. Rest, follow these recommended practices:

Automate parsing with tools

DMARC aggregate reports arrive in XML format, which can be difficult to read manually. Using a DMARC analysis tool automates parsing, converts reports into dashboards or summaries, and helps you spot alignment failures, unauthorized senders, or patterns you might’ve missed.

Review reports weekly or monthly

Consistent review ensures you catch new issues early. Weekly reviews work well for high-volume domains, while monthly checks are enough for smaller environments. Regular monitoring ensures all your sending sources stay authenticated and aligned as your setup evolves.

Keep track of IP sources and third-party senders

DMARC reports reveal every server that’s sending mail on your behalf, even the ones you might’ve forgotten were connected. Tracking these IPs helps you sort out which senders are legitimate and which need to be removed, authenticated, or looked into a little more closely. This becomes especially important when you’re using several tools at once, like marketing platforms, CRMs, or ticketing systems, all firing off emails under your domain.

Maintain alignment across all sending services

Every service you use has to pass SPF or DKIM and align with your domain; otherwise, DMARC will fail even when everything else looks fine. It’s easy to overlook a platform or two (especially older integrations), so it’s worth double-checking that each one is configured with the right SPF include statements or DKIM keys. When every sender lines up correctly, the whole authentication chain becomes much more stable. This keeps failure rates low and protects your domain from abuse.

Next Step

Understanding DMARC reports is key to protecting your email domain from spoofing and phishing attacks. By following the steps in this guide, you can effectively monitor your email authentication and take action against threats.

Key Actions to Take Now:

1. Enable DMARC reporting by setting up your DNS records with rua/ruf tags
2. Use automated tools to simplify report analysis and interpretation
3. Establish a regular review schedule (weekly or monthly)
4. Maintain an inventory of all authorized email sending sources
5. Gradually enforce stricter DMARC policies as your authentication improves

Ready to simplify your email security? Tools like PowerDMARC’s DMARC Report Reader turn complex XML data into clear, actionable insights that help protect your domain from phishing and spoofing.

Frequently Asked Questions (FAQs)

1. How do DMARC reports help improve email security?

They show you which emails pass or fail authentication, helping you detect and stop spoofing or phishing attempts targeting your domain.

2. How often are DMARC reports generated?

On the PowerDMARC platform, DMARC reports are generated and organized daily, weekly, or monthly, depending on your preference.

3. How do I improve my DMARC score?

You can improve your DMARC score by fixing authentication issues, aligning your SPF and DKIM, and gradually enforcing stricter DMARC policies.

4. What actions can I take based on DMARC reports?

You can identify unauthorized senders, adjust your email settings, and block fraudulent emails.

5. What does it mean when I get a DMARC report?

It means a receiver is sharing details about how your emails are authenticated and if any failed checks occurred.

6. Why am I getting DMARC aggregate reports?

You’re receiving DMARC aggregate reports because you have a DMARC record published with an rua tag. These reports are sent by email providers to help you monitor how your domain is being used for email authentication.

7. How do I check my DMARC report?

You can check your DMARC reports by accessing the email address specified in your rua tag, or by using a DMARC analysis tool that automatically processes and visualizes the XML data for easier interpretation.

8. Who generates DMARC reports?

DMARC reports are generated and sent by receiving email servers and major mailbox providers like Gmail, Yahoo, Outlook, and other email services that process emails from your domain.

9. Where to send DMARC reports?

DMARC reports can be sent to the email address specified in the rua tag of your DMARC record.

You have two options for this:

1. A dedicated mailbox you create (e.g., [email protected]).
2. A third-party DMARC analysis service. This is the recommended option, as they process the complex XML reports into user-friendly dashboards.

10. Who sends DMARC reports?

DMARC reports are sent by receiving mail servers and mailbox providers.

• About
• Latest Posts

Maitham Al Lawati

Cybersecurity Expert, CEO at PowerDMARC

Maitham is a tech entrepreneur, cybersecurity expert, CEO and Founder of PowerDMARC with 15+ years of industry experience. Maitham holds a Global MBA from the University of Manchester and various professional certifications including CISSP, CISM, CRISC, and ISC2 CCSP.

Latest posts by Maitham Al Lawati (see all)

• Email Phishing and DMARC Statistics: 2026 Email Security Trends - January 6, 2026
• How to Fix “No SPF record found” in 2026 - January 3, 2026
• SPF Permerror: What It Means and How to Fix It - December 24, 2025