How to Read a DMARC Report

,

Learn how to read DMARC reports with our detailed guide that simplifies DMARC aggregate and forensic reports for better email security management.

by

Reading Time: 9 min
How to Read a DMARC Report
Table Of Contents

Reading DMARC reports has become crucial for organizations as phishing and spam are getting more and more common. The reports provide important insights into your existing email security posture and how your emails are perceived on the receiver’s end. Several renowned mailbox providers have already made the protocol mandatory for maintaining a spam-free inbox, and enforcing authentication checks before any email reaches their users, thereby ensuring that their user’s information and assets stay protected.

What is a DMARC Report?

A DMARC report is a collection of comprehensive data provided by the Domain-based Message Authentication Reporting and Conformance protocol that is generated and sent by email receivers to the domain owner of the received email. The reports aim to provide valuable insights into your email behavior, mail flows, and SPF/DKIM authentication results along with other details. 

The results of DMARC authentication are based on SPF (Sender Policy Framework) and/or DKIM (DomainKeys Identified Mail) authentication checks. Depending on the policy action defined by the domain owner, the reports highlight the action taken by the recipient’s mail server which can be either of two results – Pass or Fail.     

By enabling DMARC XML reports for your active domains, you can monitor fraudulent activities and even learn about malicious sources impersonating your domain names to send fake messages to your clients and partners. By taking action against such abuse, you protect not only your brand’s reputation but also safeguard your customers from potential harm.

How to Read Raw DMARC Reports

Your DMARC reports provide essential data about email activity on your domain that are necessary to help protect you against future phishing attacks and fraudulent emails. DMARC reports in raw format are sent in XML format and they’re usually sent by email with the subject “DMARC Report.”

You can visit PoweDMARC’s knowledge base to learn more about each of them and how to configure individual reports for your domain easily.

DMARC XML Report Raw Format

Reading Aggregate XML reports can be a bit of a hassle for a non-technical person, here is an example of a raw report:

DMARC-XML-Report-Raw-Format-

Breaking Down a DMARC Raw Report

DMARC-Raw-Report

The report should contain information about your ISP, source IP, sender address, server, and authentication status.

In the raw file for your detailed reports, you can find information about:

  • Your ISP, the name of your email service provider

<?xml version=”1.0″ encoding=”UTF-8″ ?>

<feedback>

<report_metadata>

<org_name>google.com</org_name>

<email>[email protected]</email>

<extra_contact_info>http://google.com/dmarc/support</extra_contact_info>

  • The report ID number

<report_id>8293631894893125362</report_id>

  • The beginning and ending date range (in seconds)

<date_range>

<begin>1234573120</begin>

<end>1234453590</end>

</date_range>

  • Your DMARC record specifications as published in your domain’s DNS

<policy_published>

<domain>yourdomain.com</domain>

<adkim>r</adkim>

<aspf>r</aspf>

<p>none</p>

<sp>none</sp>

<pct>100</pct>

</policy_published>

  • IP address of the sending source

<source_ip>302.0.214.308</source_ip>

  • An overview of your authentication results (SPF and DKIM pass/fail result summary)

<policy_evaluated>

<disposition>none</disposition>

<dkim>fail</dkim>

<spf>pass</spf>

</policy_evaluated>

  • From: domain

<header_from>yourdomain.com</header_from>

  • DKIM authentication results

<dkim>

<domain>yourdomain.com</domain>

<result>fail</result>

<human_result></human_result>

</dkim>

  • SPF authentication results

<spf>

<domain>yourdomain.com</domain>

<result>pass</result>

</spf>

Simplify DMARC Reporting with PowerDMARC!

Start 15-day trial Book a demo

Understanding How DMARC Reporting Works

DMARC reports are generated by email receivers when they receive emails from a domain with DMARC implemented. These reports are sent back to the domain owner, who can analyze them to identify potential issues, patterns of abuse, or misconfigurations. By leveraging this information, domain owners can take proactive measures to improve their email authentication setup, rectify authentication failures, and establish a more secure and trustworthy email ecosystem.

DMARC-reports

The Importance of  DMARC Reports

DMARC reports enable you to make data-driven decisions about your email security setup and systems and monitor the functionality of your DMARC, SPF, and DKIM authentication protocols. Here’s why you should enable it: 

  1. DMARC reports help you monitor your email authentication systems
  2. Leverage report data to identify issues in deliverability and improve email deliverability over a period of time: 
  3. Investigate your reporting data to quickly identify and detect phishing and spoofing attacks: 
  4. PowerDMARC also helps you download comprehensive human-readable reports in CSV file format that can be shared with your employees to educate them regarding impending threats.

DMARC Reporting Types – Aggregate vs Forensic DMARC Reports

DMARC reports are of two main types – DMARC rua aggregate reports and DMARC ruf forensic reports. While both of these types of reports are sent in similar file formats, they dispense different information to domain owners.

1. DMARC Aggregate Reports

DMARC Aggregate reports provide an overview of the DMARC analytics and activity for a domain. Aggregate DMARC reports include information pertaining to the number of messages that passed or failed DMARC authentication, the IP addresses of the sending mail servers, and the authentication statuses of the mechanisms used to verify the email message. This information helps you gain awareness of spammers and unauthorized third-party services wrongly using your domain name.

Aggregate reports are widely supported and sent by all major email providers including Google and Microsoft, and are sent irrespective of the domain owner’s enforcement policy.

Aggregate reports on the PowerDMARC platform are easier to read and understand, as they are parsed, simplified, and organized into charts and tables with advanced viewing and filtering options. To enable our human-readable aggregate reports, contact us today! 

2. DMARC Forensic Reports

DMARC forensic reports also known as failure reports provide detailed information about individual email messages that failed DMARC authentication. In some cases, Forensic DMARC reports may include the entire email message, along with the authentication status and the reason for the failure of the unauthorized message. Failure reports in DMARC come in handy while investigating specific forensic incidents like potential email fraud or domain name abuse and impersonation.

Failure reports may sometimes contain sensitive information leading to privacy concerns in case an attacker gains access to them. This has led PowerDMARC to facilitate PGP encryption on these reports to ensure only you have access to the contents. 

How to enable DMARC reporting?

DMARC reports can be enabled by simply defining the DMARC “rua” tag and configuring it with your email address in your domain’s DMARC TXT record.

Step 1: Create a record for DMARC 

Sign up on the PowerDMARC portal and click on PowerToolbox from the menu > select DMARC record generator. Select your preferred DMARC policy option from none, quarantine, and reject. On all three domain policies, reports will continue to be sent from receivers however the action taken will differ. 

It is always advised to shift to reject gradually by first monitoring your domains at “none” and then opting for partial enforcement with quarantine. Finally, switch from quarantine to reject when you are confident with your mail flows and legitimate email sources. This will ensure that your legitimate senders don’t get blocked by receivers.

DMARC-record-generator.

Step 2: Define the DMARC report rua tag

Configure this tag by defining an email address on which you wish you receive your DMARC XML report data.

Define-the-DMARC-report-rua-tag

Step 3: Define the DMARC report ruf tag

You may also enable forensic reporting by following the same procedure.

Define-the-DMARC-report-ruf-tag

Step 4: Publish your record to receive reports

Publish the DNS record in your DNS management console and save changes. Once done the reporting organization will start sending you reports by mail to your reporting address.

Publish-your-record-to-receive-reports

Note: DMARC forensic reports are not supported by all mailbox providers due to privacy concerns. Learn more.

DMARC Reports & Deliverability in 2024

DMARC reports help enhance email deliverability by providing a wealth of knowledge about the authentication status of email messages sent from a specific domain. These reports allow domain owners to identify and address authentication failures, misconfigurations, or unauthorized use of their domain, which can negatively impact deliverability.

This helps build trust with email receivers, reduces the chances of emails being marked as spam or rejected, and ultimately improves the overall deliverability of legitimate emails.

PowerDMARC’s Human-Readable DMARC Reports Tool

With DMARC reports flooding your inboxes every day, you wouldn’t want the pain to go through them and analyze them line by line, fishing for useful information. PowerDMARC helps you monitor your domain’s activity with reports, and gain complete insight into your authenticity status, and authentication issues to reduce your spam score and improve deliverability with time.  

PowerDMARC helps you view your DMARC Aggregate RUA reports easily in an organized tabular format, parsing data and segregating information into categories with the option to filter data according to IP addresses, organizations, sending sources, and specific stats, providing ultimate flexibility when you read DMARC report for your email.

Try our DMARC reporting tool

Using a Dedicated Mailbox VS Using PowerDMARC’s DMARC Report Reader

In order to organize and read DMARC reports more easily and efficiently, you can maintain a dedicated mailbox wherein you can redirect all the DMARC XML reports you receive from various third parties and email vendors that you use for sending your marketing and business emails. This keeps your main inbox decluttered. 

However, note that a dedicated mailbox for your reports will only help you organize and manage your data better, it will not help you parse or read the XML files, and will not provide a user-friendly or actionable interface for viewing, sorting, or filtering your authentication results as we do.

Perks of configuring PowerDMARC’s DMARC Reports:

  • View RUA reports in 7 distinct viewing formats: per organization, per result, per sending source, per host, per country, according to geo-locations, and segregate detailed stats.
  • Enter the domain(s) of your choice to filter results for that particular domain only in the search bar
  • Select a specific date range to filter results for that timeline
  • Bright color scheme and interactive dashboard that helps you understand your authentication results at a glance when in a hurry, as well as in great detail.

Sign up today to get your free DMARC analyzer!

DMARC Report FAQs

You can use the data to identify and By inspecting these reports, domain owners can identify and take action against the unauthorized use of their domain name in phishing attempts.

DMARC reports typically contain the following information: 

  1. the authentication results of emails 
  2. IP address of the sending source
  3. Sender’s domain name 
  4. The domain alignment status

On the PowerDMARC platform, our simplified DMARC reports are generated and organized daily or at regular intervals, such as weekly or monthly – as per the domain owner’s preference.

To receive DMARC reports you need to publish a DMARC record on your domain’s DNS management console. This record must contain a valid email address defined within the “rua” DMARC tag, specifying where the reports need to be sent. Once the DMARC record is published, email receivers that support DMARC will start the automatic process of generating reports and sending them to your specified email address.

DMARC reports should be used to investigate your sending sources and identify potential fraud so that you can take action against them promptly. Regular reviews may even improve deliverability and reduce your spam rate.

Interpreting DMARC report data can be complex as XML files contain technical information in machine-level language. However, by using PowerDMARC you can read your data easily along with more granular aggregate details, insights on failure messages, and domain activity.

If you notice a lot of instances of impersonation attacks in your DMARC reports, it is an indication that you need to level up your domain and email security defenses. Get in touch with a DMARC specialist today to explore remediation measures.

No, DMARC reports are not mandatory. However, they are highly recommended for organizations that want to enhance their email and domain security and protect against email fraud.

Latest posts by Maitham Al Lawati (see all)
Yahoo “Strongly” Recommends DMARC RUA Tag for Bulk SendersYahoo “Strongly” Recommends DMARC RUA Tag for Bulk SendersHow to Unsend an Email and Save Yourself from Oops Moments?