How do I read DMARC reports?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

DMARC reports (called RUA files) arrive as XML attachments in email, usually gzipped, with filenames like receiver.com!yourdomain.com!1700000000!1700086400.xml.gz. You don't read the raw XML. You run it through a parser and then look for two things: who's sending mail using your domain, and whether they're passing authentication.

Each report covers a time window (usually 24 hours) and lists every source that sent email using your domain. For each source you'll see:

  • The sending IP address
  • How many messages it sent
  • Whether SPF passed and aligned
  • Whether DKIM passed and aligned
  • The overall DMARC disposition (none, quarantine, or reject)

The first question: can you identify every IP in the report? Most will be your ESP, your transactional provider, maybe your helpdesk or CRM. An IP you can't explain (especially one that's failing alignment) is either a forgotten sending service or someone trying to spoof your domain. Those two cases need very different responses.

The second question: are your own sending services passing? If your ESP shows up with SPF or DKIM failures, that's a configuration problem on your end. Fix it before you tighten your DMARC policy.

Our DMARC parser handles the XML for you: paste or upload a report and it pulls out the key rows in plain language. For ongoing monitoring, most senders use a dedicated reporting service so they don't have to manually check files every day (more on that in how to visualize DMARC XML reports).

If you're seeing failures and aren't sure which senders to fix first, the SOS hotline is free.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get help interpreting what your DMARC reports are showing.

I'm trying to make sense of my DMARC aggregate reports. I need help interpreting what I'm seeing and figuring out what to do about it. My details: - What I see in my reports (describe as much as you can): [e.g. 'Most IPs are passing but one IP with lots of volume is failing SPF', 'I see IPs I don't recognize', 'Everything seems to be passing'] - How I'm reading the reports: [raw XML / a service like dmarcian or EasyDMARC / your DMARC parser] - Services that send on my behalf: list all you know about - My current DMARC policy: none / quarantine / reject - Domain: your sending domain - Are there any IPs in the report you can't identify?: yes/no - How long you've had DMARC set up: e.g. 2 weeks, 3 months Based on what I'm seeing, what do I need to fix? And which failures should I prioritize?

Edit the yellow boxes, then send to the AI of your choice.