Cloud Server for Email
cloudserverforemail.com · infrastructure@cloudserverforemail.com · +372 602 3545
EU-Based Infrastructure
Operating Since 2015
Operating Since 2015
DMARC Report Reading Guide
Aggregate and Forensic Reports: Structure and Interpretation
Version 2026-04 · Cloud Server for Email
Aggregate Report (RUA) Structure
Aggregate reports are XML files sent daily to your rua address. Each report covers one reporting organization (e.g., Google, Microsoft) and contains all email received from your domain during the reporting period.
<!-- Simplified aggregate report structure -->
<feedback>
<report_metadata>
<org_name>google.com</org_name> <!-- Reporting ISP -->
<date_range>
<begin>1700000000</end> <!-- Unix timestamps -->
<end>1700086400</end>
</date_range>
</report_metadata>
<record>
<row>
<source_ip>203.0.113.1</source_ip> <!-- Sending IP -->
<count>15420</count> <!-- Messages from this IP -->
<policy_evaluated>
<disposition>none</disposition> <!-- none/quarantine/reject -->
<dkim>pass</dkim> <!-- pass or fail -->
<spf>pass</spf> <!-- pass or fail -->
</policy_evaluated>
</row>
<auth_results>
<dkim>
<domain>yourdomain.com</domain>
<result>pass</result>
</dkim>
</auth_results>
</record>
</feedback>
What to Look For in Aggregate Reports
| What You See | What It Means | Action |
|---|---|---|
| source_ip unknown to you + large count | Unauthorized sender using your domain | Investigate; advance DMARC policy to block them |
| Your known IP + dkim=fail + spf=pass | DKIM signing broken (but SPF covers you) | Fix DKIM signing urgently; passing for now but fragile |
| Your known IP + dkim=pass + spf=fail | IP not in SPF (DKIM covers you) | Add IP to SPF; important defense-in-depth |
| Your known IP + both fail | No authentication passing for DMARC | Critical: fix SPF and DKIM immediately |
| Third-party ESP IP + both fail | ESP not configured for your domain alignment | Configure ESP's DKIM for your domain, or use subdomain |
| Small counts from unusual IPs | Forwarded mail or third-party system | Document known forwarding paths; use ARC where possible |
Free DMARC Report Parsers
- dmarcian.com — industry standard, free tier available, clear visual reports
- easydmarc.com — good free tier, automated parsing, alert emails
- mxtoolbox.com/dmarc — manual XML parsing and analysis tool
- postmark's DMARC Digests — free weekly email summary of your DMARC data
Advancing DMARC Policy Safely
| Step | Policy | Prerequisite |
|---|---|---|
| 1 | p=none | Just start — collect data, no enforcement |
| 2 | p=quarantine; pct=5 | 4+ weeks of p=none with only authorized senders passing |
| 3 | p=quarantine; pct=100 | 2+ weeks at pct=5 with no legitimate mail quarantined |
| 4 | p=reject; pct=5 | 2+ weeks at p=quarantine;pct=100 clean |
| 5 | p=reject; pct=100 | 2+ weeks at pct=5 with no legitimate mail rejected |
Never jump from p=none directly to p=reject. Organizations that do this regularly lose legitimate mail because they discover unknown sending sources only after they start getting blocked.