How do I read DMARC reports?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
DMARC reports (called RUA files) arrive as XML attachments in email, usually gzipped, with filenames like receiver.com!yourdomain.com!1700000000!1700086400.xml.gz. You don't read the raw XML. You run it through a parser and then look for two things: who's sending mail using your domain, and whether they're passing authentication.
Each report covers a time window (usually 24 hours) and lists every source that sent email using your domain. For each source you'll see:
- The sending IP address
- How many messages it sent
- Whether SPF passed and aligned
- Whether DKIM passed and aligned
- The overall DMARC disposition (none, quarantine, or reject)
The first question: can you identify every IP in the report? Most will be your ESP, your transactional provider, maybe your helpdesk or CRM. An IP you can't explain (especially one that's failing alignment) is either a forgotten sending service or someone trying to spoof your domain. Those two cases need very different responses.
The second question: are your own sending services passing? If your ESP shows up with SPF or DKIM failures, that's a configuration problem on your end. Fix it before you tighten your DMARC policy.
Our DMARC parser handles the XML for you: paste or upload a report and it pulls out the key rows in plain language. For ongoing monitoring, most senders use a dedicated reporting service so they don't have to manually check files every day (more on that in how to visualize DMARC XML reports).
If you're seeing failures and aren't sure which senders to fix first, the SOS hotline is free.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.