DMARC Report Reading Guide

Cloud Server for Email
cloudserverforemail.com · infrastructure@cloudserverforemail.com · +372 602 3545
EU-Based Infrastructure
Operating Since 2015
DMARC Report Reading Guide
Aggregate and Forensic Reports: Structure and Interpretation
Version 2026-04 · Cloud Server for Email

Aggregate Report (RUA) Structure

Aggregate reports are XML files sent daily to your rua address. Each report covers one reporting organization (e.g., Google, Microsoft) and contains all email received from your domain during the reporting period.

<!-- Simplified aggregate report structure --> <feedback> <report_metadata> <org_name>google.com</org_name> <!-- Reporting ISP --> <date_range> <begin>1700000000</end> <!-- Unix timestamps --> <end>1700086400</end> </date_range> </report_metadata> <record> <row> <source_ip>203.0.113.1</source_ip> <!-- Sending IP --> <count>15420</count> <!-- Messages from this IP --> <policy_evaluated> <disposition>none</disposition> <!-- none/quarantine/reject --> <dkim>pass</dkim> <!-- pass or fail --> <spf>pass</spf> <!-- pass or fail --> </policy_evaluated> </row> <auth_results> <dkim> <domain>yourdomain.com</domain> <result>pass</result> </dkim> </auth_results> </record> </feedback>

What to Look For in Aggregate Reports

What You SeeWhat It MeansAction
source_ip unknown to you + large countUnauthorized sender using your domainInvestigate; advance DMARC policy to block them
Your known IP + dkim=fail + spf=passDKIM signing broken (but SPF covers you)Fix DKIM signing urgently; passing for now but fragile
Your known IP + dkim=pass + spf=failIP not in SPF (DKIM covers you)Add IP to SPF; important defense-in-depth
Your known IP + both failNo authentication passing for DMARCCritical: fix SPF and DKIM immediately
Third-party ESP IP + both failESP not configured for your domain alignmentConfigure ESP's DKIM for your domain, or use subdomain
Small counts from unusual IPsForwarded mail or third-party systemDocument known forwarding paths; use ARC where possible

Free DMARC Report Parsers

  • dmarcian.com — industry standard, free tier available, clear visual reports
  • easydmarc.com — good free tier, automated parsing, alert emails
  • mxtoolbox.com/dmarc — manual XML parsing and analysis tool
  • postmark's DMARC Digests — free weekly email summary of your DMARC data

Advancing DMARC Policy Safely

StepPolicyPrerequisite
1p=noneJust start — collect data, no enforcement
2p=quarantine; pct=54+ weeks of p=none with only authorized senders passing
3p=quarantine; pct=1002+ weeks at pct=5 with no legitimate mail quarantined
4p=reject; pct=52+ weeks at p=quarantine;pct=100 clean
5p=reject; pct=1002+ weeks at pct=5 with no legitimate mail rejected
Never jump from p=none directly to p=reject. Organizations that do this regularly lose legitimate mail because they discover unknown sending sources only after they start getting blocked.