DMARC aggregate reports (RUA) are daily XML files from receiving servers showing: every IP that sent email as your domain, the volume from each, SPF/DKIM pass/fail results, and alignment status. Don't read raw XML — use a parser (dmarcian free tier, Postmark's free DMARC tool, or EasyDMARC). Look for: unauthorized senders you need to block, legitimate senders failing authentication that you need to fix, and confirmation that all authorized senders pass before advancing your policy.
How to Read DMARC Reports (And Actually Use Them)
Why DMARC Reports Matter
Every guide tells you to set up DMARC. Almost none tell you what to do with the reports you receive.
DMARC aggregate reports are the only way to see every service sending email as your domain. Without reading them, you're advancing your DMARC policy blind — risking blocking legitimate email you forgot about.
What You Receive
After setting up DMARC with rua=mailto:[email protected], receiving servers send you daily aggregate reports. Each report is a compressed XML file (.xml.gz or .zip).
A high-volume domain receives dozens of reports daily — one from Gmail, one from Yahoo, one from Outlook, one from every other server that processes your email.
Don't Read Raw XML
A raw DMARC report looks like this:
<record>
<row>
<source_ip>209.85.220.41</source_ip>
<count>1523</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
...
</record>
Multiply this by hundreds of rows and dozens of daily reports. This is not meant for human consumption.
Use a Parsing Tool
| Tool | Cost | Best For |
|---|---|---|
| dmarcian | Free tier (1 domain) | Best visualization, clear dashboard |
| Postmark DMARC | Free (weekly digest) | Simplest — email digest, no dashboard login |
| EasyDMARC | Free tier available | Good for beginners |
| DMARC Analyzer | Paid | Enterprise features |
| URIports | Free tier | Good aggregation |
My recommendation: Start with Postmark's free DMARC tool (just point your rua to their address). You get a weekly email digest summarizing your DMARC data. If you need more detail, upgrade to dmarcian.
Postmark Free DMARC Setup
Change your DMARC rua to Postmark's processing address:
v=DMARC1; p=none; rua=mailto:[email protected]
You'll receive weekly email digests with your DMARC data visualized.
How to Read the Dashboard
1. Identify All Senders
The dashboard shows every IP/service that sent email as your domain. For each, you see:
- Source IP or sending service name
- Volume (emails sent)
- SPF result (pass/fail)
- DKIM result (pass/fail)
- DMARC result (pass/fail)
2. Categorize Each Sender
Authorized + Passing: Your ESP, CRM, email platform — everything looks green. Good.
Authorized + Failing: A service you use but authentication isn't configured correctly. Fix this. Add the service to SPF, configure DKIM, or fix alignment.
Unknown + Passing: A service you don't recognize that somehow passes authentication. Investigate — it might be a forgotten integration, or it might be a misconfigured SPF record that's too permissive.
Unknown + Failing: Either spoofing attempts (someone pretending to be your domain) or a forgotten service. If it's spoofing, this is exactly what DMARC at p=reject will block. If it's a forgotten service, authorize it before advancing your policy.
3. The Advancement Decision
You're ready to advance from p=none to p=quarantine when:
- All known legitimate senders show DMARC pass
- Unknown senders are confirmed as either spoofing (let DMARC block them) or authorized (you've fixed their authentication)
- You've monitored for at least 2-4 weeks
Common Surprises in DMARC Reports
Services people forget they authorized:
- Calendly/Acuity — sends booking confirmations as your domain
- Stripe/PayPal — sends receipts that may use your domain
- Zendesk/Freshdesk — sends support replies as your domain
- Typeform/Jotform — sends form confirmation emails
- Zapier/Make — sends notification emails via your SMTP
- Old ESPs — you migrated to Klaviyo but never removed the old Mailchimp authentication
Practitioner note: The most common finding in DMARC reports: a service nobody on the current team remembers setting up. An employee from 2 years ago connected a tool to send from the company domain, that person left, and the tool is still sending. DMARC reports are your audit trail.
Practitioner note: Don't panic about spoofing attempts in your DMARC reports. Every domain gets some — it's automated spam trying to use your domain. That's normal. DMARC at p=reject blocks these. Focus on making sure your legitimate email is authenticated, not on stopping every spoofer.
Practitioner note: Forensic reports (RUF) sound useful but are practically useless in 2026. Gmail doesn't send them. Yahoo barely sends them. Microsoft sends redacted versions. Don't spend time trying to set up RUF — aggregate reports (RUA) give you everything you need.
If DMARC reports look overwhelming and you need someone to interpret them and fix what's broken, schedule a consultation — I audit DMARC data and fix authentication across all your sending services.
Sources
- RFC 7489: DMARC (Section 7 — Aggregate Reports)
- dmarcian: DMARC Guide
- Postmark: Free DMARC Monitoring
v1.0 · March 2026
Frequently Asked Questions
What do DMARC aggregate reports contain?
Each report includes: the reporting organization (Gmail, Yahoo, etc.), the date range, your domain's DMARC policy, and rows of data showing source IPs, message counts, SPF results, DKIM results, and alignment status. It tells you exactly who is sending email claiming to be from your domain.
How do I read raw DMARC XML?
Don't. Raw DMARC reports are compressed XML files that are nearly impossible to interpret manually. Use a parsing tool: dmarcian (free tier), Postmark DMARC (free weekly digest), EasyDMARC, or DMARC Analyzer. They visualize the data in readable dashboards.
What's the difference between RUA and RUF reports?
RUA (aggregate) reports are daily summaries of authentication results — volume, pass/fail rates, source IPs. RUF (forensic) reports contain individual message details for failures. In practice, very few providers send RUF reports. Focus on RUA — that's where the useful data is.
How long should I monitor before advancing DMARC policy?
Minimum 2 weeks at p=none, ideally 4 weeks. You need enough data to see all legitimate senders. Some services send infrequently (monthly billing, quarterly newsletters) — longer monitoring catches these.
What does 'alignment failure' mean in a DMARC report?
Alignment failure means the domain in SPF (Return-Path) or DKIM (d= tag) doesn't match your From: header domain. The authentication check passed, but it passed for a different domain than what appears in the From: address. Fix by configuring [SPF](/email-authentication/spf-setup-guide) and [DKIM](/email-authentication/dkim-setup-guide) to use your From: domain.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.