How to read a DMARC report—and actually understand it!
Amy Elliott
Unlike SPF (Sender Policy Framework) and DKIM (Domainkeys Identified Mail), DMARC authentication (Domain-based Message Authentication Reporting and Conformance) isn’t required to send emails, but it is highly recommended if you want to protect your domain against email spoofing and phishing attacks. In addition to providing a framework for senders to define how they want their emails to be handled if they fail SPF and DKIM checks, it allows you to monitor activity with reports.
DMARC reports provide valuable insights for domain owners to analyze domain activity, manage their email infrastructure, and detect potential email deliverability issues or bad actors. That’s a lot of very important information! To use it to your full advantage, it’s important to understand how to read a DMARC report.
If learning about DMARC reports is on your email marketing bucket list (it should be!), good news! This guide has all the tips and information you need to read and understand the different types of DMARC reports. Let’s get down to business.
What is a DMARC report?
DMARC reporting provides visibility into your email infrastructure and domain sending activity, including the DMARC policies that have been implemented. It allows senders to gain insights into their email delivery, authentication failures, and any unauthorized sending sources by delivering two types of reports—aggregate and forensic.
It helps you to enhance security by enabling you to review what is sent from your domain and choose which mail sources to authorize. DMARC reporting also gives you greater control over your email deliverability by allowing you to track your sendings and uncover any potential authentication issues that could damage your sender reputation.
How DMARC reporting works
When you implement DMARC by creating a DMARC record and publishing it to your DNS as a TXT record, you get access to data about your domain’s sending activity. This is because feedback is given by receiving mail servers in the form of DMARC reports during the DMARC validation process.
They are typically sent once every 24 hours, but you can change the frequency of your reports by using the ri tag in your DMARC record, accompanied by the desired number of seconds between reports. To receive DMARC reports directly to your email address, you must add the rua tag to your DMARC record, along with the email address that you would like reports to be sent to. Configuring your DMARC record in this way will let mailbox providers know that they must send a report.
Every time an email fails an SPF and/or DKIM check, feedback will be given by the mailbox provider about the status of the message. This means that DMARC reporting can provide crucial information about the state of your outgoing emails, allowing you to identify malicious actors and block them.
If you're interested in the different types of tags you can include in your DMARC record, check out the table below.
| Tag | Description |
|---|---|
| Version (v) | The v tag specifies the protocol version and is a required tag. |
| Policy (p) | The p tag specifies the policy that should be followed for the domain. The possible values are none, quarantine or reject. |
| Subdomain policy (sp) | Similarly to the p tag, sp specifies the policy that should be followed for subdomains. |
| Percentage (pct) | The pct tag specifies the percentage of emails that should be subjected to filtering. |
| Forensic report email address (ruf) | The ruf tag lets you define the email address that forensic reports should be sent to. |
| Aggregate report email address (rua) | With the rua tag, you can define the email address that aggregate reports should be sent to. |
| SPF alignment mode (aspf) | Defines whether SPF domain alignment should relaxed or strict. |
| DKIM alignment mode (adkim) | Defines whether DKIM domain alignment should relaxed or strict. |
| Forensic reporting options (fo) | Defines how forensic reports are created and given to users. |
| Report format (rf) | The rf tag defines the forensic reporting format. |
| Report interval (ri) | This tags enables you to change the frequency of your reports. |
Types of DMARC reports and what they contain
There are two main types of DMARC reports that the mailbox provider sends: forensic reports (also known as failure reports) and aggregate reports.
Forensic reports
DMARC forensic reports contain information about individual email messages that fail authentication. This report is sent to the email address you specify with the ruf tag in your DMARC record. For example, your DMARC record would look something like this:
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]
They contain information that can help senders to identify and verify legitimate email sources, as well as block unauthorized ones. This includes:
From email address
Recipient email address
Email source IP address
SPF and DKIM authentication results
Email subject line
Email headers (Learn how to read and understand email headers)
Time email was received
Although they do contain some useful information, forensic reports are not widely implemented by Internet Service Providers (ISPs), so are a lower priority when it comes to DMARC monitoring.
Aggregate reports
DMARC aggregate reports provide information in xml format about the DMARC, SPF and DKIM authentication status of all emails that go through the authentication process. This report is sent to the email address you specify with the rua tag in your DMARC record. For example, your DMARC record would look something like this:
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]
Unlike forensic reports, aggregate reports do not contain any sensitive information, but they do provide insights crucial for monitoring your domain sending activity, including:
Information about the Email Service Provider (ESP) including domain and email address
Date range
Email source sending IP address
Number of messages sent
SPF domain
SPF authentication result
SPF domain alignment result
DKIM domain
DKIM authentication result
DKIM domain alignment result
Policy applied by the receiver
Here’s an example of a DMARC aggregate report.
<?xml version=”1.0″ encoding=”UTF-8″ ?>
<feedback>
<report_metadata>
<org_name>google.com</org_name>
<email>[email protected]</email>
<extra_contact_info>
http://google.com/dmarc/support
</extra_contact_info>
<report_id>7598769364592857643</report_id>
<date_range>
<begin>1632654984</begin>
<end>1633749852</end>
</date_range>
</report_metadata>
<policy_published>
<domain>yourdomain.com</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>none</p>
<sp>none</sp>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>192.158.1.38</source_ip>
<count>2</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>yourdomain.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>yourdomain.com</domain>
<result>fail</result>
<human_result></human_result>
</dkim>
<spf>
<domain>yourdomain.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
</feedback>How to read DMARC reports
As you can see in the example above, it can be a little difficult to interpret the information in a DMARC report. Let’s break down the different elements and take a look at what they mean.
This first section of the DMARC aggregate report contains information about the ISP (in our example it’s Google) including its domain and email address.
<?xml version=”1.0″ encoding=”UTF-8″ ?>
<feedback>
<report_metadata>
<org_name>google.com</org_name>
<email>[email protected]</email>
<extra_contact_info>
http://google.com/dmarc/support
</extra_contact_info>Next up, it’s the report ID.
<report_id>7598769364592857643</report_id>Here we have the date range of the report. If it looks a little confusing, that’s because it’s in seconds. To convert a timestamp to a date, you can use this timestamp converter.
<date_range>
<begin>1632654984</begin>
<end>1633749852</end>
</date_range>These are the DMARC policy specifications. Domain refers to your domain, adkim refers to the alignment mode for the DKIM protocol—in this case, r refers to relaxed mode. Similarly, aspf refers to the alignment mode for the SPF protocol. p is the policy tag, indicating which policy the receiver should employ: none, quarantine or reject. Correspondingly, the sp tag defines the policy for subdomains. And finally, the pct tag indicates the percentage of emails that should be subjected to filtering in the DMARC policy.
<policy_published>
<domain>yourdomain.com</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>none</p>
<sp>none</sp>
<pct>100</pct>
</policy_published>Next we have the IP address of the sending source.
<source_ip>192.158.1.38</source_ip>Here are our email authentication results. In this instance, we can see that DKIM authentication has passed while SPF authentication has failed. Disposition tells us which policy the receiver followed in the event of DKIM/SPF failure, in this case, none.
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>Here we can see the domain specified in the email header.
<identifiers>
<header_from>yourdomain.com</header_from>
</identifiers>Finally, here are the individual DKIM and SPF results. The human_result tag allows for an optional error message to give context to the failure where the error may not be obvious. For example, if there is a syntax error in the record.
<auth_results>
<dkim>
<domain>yourdomain.com</domain>
<result>pass</result>
</dkim>
<spf>
<domain>yourdomain.com</domain>
<result>fail</result>
<human_result></human_result>
</spf>
</auth_results>How to monitor DMARC
Manually analyzing your DMARC reports and email logs is possible, but it isn’t the most efficient way to monitor DMARC. While you can dig down in the xml files and find the necessary data, it can be time-consuming and lead to issues being overlooked or left undiscovered for a period of time.
By using a DMARC monitoring tool like MailerCheck, you can automate the monitoring and reporting of the status of your DMARC implementation. Even better, MailerCheck provides actionable tips and suggestions about the steps to take to prevent unauthorized sendings from your domain. So, in addition to notifying you about your latest DMARC report, we’ll tell you what your results actually mean and what you should do next to fix any issues.
Let’s take a quick tour of the DMARC monitoring tool!
By selecting DMARC under Monitoring in the navigation menu, you’ll be able to navigate to the DMARC monitoring tool. Here, you’ll be able to add a domain to monitor and view all of your domain records and a summary of your reports.
By clicking on a report, you’ll be able to view a detailed overview of your DMARC aggregate report. You can also view any suggestions for resolving failures that were found. For example, if SPF authentication fails, MailerSend will suggest that you double-check that your SPF record contains up-to-date information about your sending server or IP address (in the case of a soft fail).
Check out our Knowledge Base article to learn more about how to use MailerCheck’s DMARC monitoring tool.
If DMARC monitoring wasn’t enough, MailerCheck has plenty more features to help with email deliverability optimization. You can verify your email list, use the API to implement real-time email validation on your website or app, check and optimize your email content, test for inbox placement, and monitor for blocklist activity of your IP or domain.
Try MailerCheck for free
Sign up for free and receive 200 credits to get started with and access to all tools!
5 Benefits of DMARC reporting
DMARC is a powerful tool for authenticating sending sources and protecting your domain. Let’s take a look at a rundown of the benefits.
1. Increased visibility into email activity
DMARC reporting provides a level of visibility that you cannot achieve with your email logs alone. It gives detailed information about the emails being sent from your domain, including the IP addresses and domains that are sending them. This can help you identify any unauthorized use of your domain and take appropriate action.
2. Stronger email security
By implementing DMARC, you can block fraudulent emails from reaching your customers, improving the security of your email communications. What’s more, by continuously monitoring the status of your DMARC implementation, you can learn in real-time if authentication fails. This gives you the ability to react quickly to attacks and makes your sending more secure. It’s kind of like the security guard of your email.
3. Improved email deliverability and sender reputation
Boosting your email security with DMARC, monitoring its status with reports, and blocking unauthorized sending sources can all help to improve your overall email deliverability and protect your sender reputation.
4. Increased brand protection
No business wants to be associated with spam or phishing emails! DMARC can help protect your brand by preventing unauthorized use of your domain in email communications.
5. Simplified compliance
Depending on your industry, there might be regulatory requirements related to email security, such as Payment Card Industry Data Security Standard (PCI DSS), that your organization must adhere to. DMARC can help businesses to meet these requirements.
DMARC my words…
DMARC reporting is essential if you want to manage your email sending like a pro while maintaining your email deliverability. It’s a highly effective and efficient way to gain valuable insights into your domain activity and protect your domain, customers and business while you’re at it. When it comes to email security, no measure is too much! And, when MailerCheck makes it so easy to manage your authentication records and monitor your DMARC activity, there’s no reason not to. 😉
Do you have any tips for monitoring your domain activity? Let us know in the comments and we might include them in the next update to this article!
Get started with DMARC reporting today
Sign up to MailerCheck and get 200 free credits, access to DMARC monitoring, email verification and more.
