How do I parse and analyze DMARC aggregate reports effectively?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

DMARC aggregate reports arrive as XML files compressed in ZIP archives. Reading raw XML is painful and nobody should have to do it. Start by running the report through a DMARC parser (our free DMARC parser handles this) or a visualization tool that converts it into a readable table.

Once it's readable, here's what to actually look for.

Unknown sending IPs. These are IP addresses sending mail that claims to be from your domain but isn't in your SPF record. Could be a service you forgot to include, a compromised account, or an attempted spoof. Investigate each unknown IP before deciding whether to add it or block it.

Third-party senders failing alignment. Your CRM or transactional mail service might be listed in your SPF record but not signing with aligned DKIM. They pass SPF but fail DMARC alignment. The fix is to get those services signing with your domain's DKIM key, not their own.

DKIM failures from specific sources. If one ESP consistently fails DKIM while others pass, the key might be misconfigured or missing for that sender. Check whether the selector is published in DNS and that the private key matches.

Volume patterns that look wrong. DMARC reports show you how many messages each IP sent in the reporting window. If an IP is sending thousands of messages claiming to be from your domain and it's not you, that's a spoofing attempt worth flagging.

So Start with p=none so you can see failures without blocking anything. Move to p=quarantine once you've identified and fixed your legitimate senders. Then move to p=reject. The reports guide that journey. Don't skip steps.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get help interpreting your DMARC reports and what to do about what you find.

I was reading about parsing and analyzing DMARC aggregate reports on the Email Almanac. I want help making sense of my reports. My details: - My sending domain: your domain - My current DMARC policy: none/quarantine/reject/not set - Am I receiving DMARC reports? yes/no/not set up yet - What am I seeing in reports that I don't understand? describe or paste a snippet - How many sending services use my domain? just my ESP / multiple services / not sure - Am I seeing unexpected senders or IPs in reports? yes/no/not sure Help me interpret what my DMARC aggregate reports are telling me and what action to take.

Edit the yellow boxes, then send to the AI of your choice.