Understanding DMARC Aggregate Reports
Understanding DMARC Aggregate Reports
What are aggregate reports?
Every time a major mail provider (Google, Microsoft, Yahoo, etc.) receives email claiming to be from your domain, they keep a record. At the end of each day, they bundle those records into an XML file and email it to the address in your rua= tag.
These are aggregate reports — a daily summary of all email authentication activity for your domain.
DMARC+ automatically receives, processes, and displays these reports in your Dashboard. But understanding what the underlying data contains helps you interpret the dashboard and diagnose problems faster.
Report structure
Each aggregate report contains:
Metadata
- Report ID — unique identifier for the report
- Submitting organisation — who sent the report (e.g.,
google.com,microsoft.com) - Date range — the 24-hour period the report covers
- Domain — which of your domains this report covers
- Policy published — what DMARC policy was in effect during this period
Records
The bulk of the report is a list of records, one per unique sending IP. Each record contains:
Source IP — the IP address that sent the email
Message count — how many emails came from this IP during the reporting period
Policy evaluated and applied — what your DMARC policy said to do, and what the receiver actually did (these can differ if you've set pct= less than 100)
Authentication results:
| Check | Possible results |
|---|---|
| SPF result | pass, fail, softfail, neutral, none, temperror, permerror |
| SPF domain | The domain used in the Return-Path |
| DKIM result | pass, fail, none, policy, neutral, temperror, permerror |
| DKIM domain | The d= value in the DKIM signature |
| DKIM selector | The s= selector used |
| DMARC alignment (SPF) | pass or fail |
| DMARC alignment (DKIM) | pass or fail |
| DMARC overall disposition | none, quarantine, reject |
Reading the results in DMARC+
The Dashboard translates this XML into charts and tables. When you drill into a source:
All pass (SPF pass + aligned, DKIM pass + aligned) This is your legitimate email sending correctly. Nothing to do.
SPF pass, DKIM fail, DMARC pass SPF is passing and aligned — DMARC passes on SPF alone. DKIM isn't set up or is failing for this source, but it's not affecting delivery. Recommended: still fix DKIM for defence-in-depth.
SPF fail, DKIM pass, DMARC pass DKIM is passing and aligned — DMARC passes on DKIM alone. SPF may need to be updated to include this source's IP.
Both fail, DMARC fail This source is failing authentication entirely. Three possibilities:
- It's a legitimate service you haven't configured yet — add it to SPF and set up DKIM
- It's a service you no longer use — ignore it; once you enforce, it'll be blocked
- It's an attacker spoofing your domain — enforce to block them
SPF pass, no DKIM, disposition = none The email passed SPF but there's no DKIM signature. This will work at p=none and p=quarantine if SPF aligns, but it's fragile — SPF alignment breaks when email is forwarded.
What DMARC reports do NOT tell you
- The content of emails (aggregate reports are metadata only)
- Whether emails were actually read or delivered to users' inboxes
- The identity of the person who sent the email
- What happened to rejected/quarantined emails on the receiver side
Common patterns and what they mean
Many IPs, all from one major provider (e.g., Google)
Normal for Google Workspace — Google uses many IPs. All should show as passing if DKIM is set up correctly.
One IP with 10,000 emails, all DMARC fail
Strong signal of an active spoofing campaign. Until you enforce p=reject, these are being delivered to recipients. This is your strongest motivation to reach enforcement quickly.
Many low-volume IPs all failing
Could be a spam campaign using your domain, or could be a misconfigured service with many instances. Investigate the IP ownership.
Your own known mail server showing DMARC fail
SPF or DKIM misconfiguration on your side. Check that your SPF record includes this server's IP and that DKIM is signing outbound email.
Forwarded email failing
Email forwarded from another domain often breaks SPF alignment (the forwarder changes the Return-Path). This is expected — it's why DKIM is important for forwarded email. If the original email was DKIM-signed with alignment, forwarded copies can still pass DMARC via DKIM.
How often to review reports
Weekly — during initial setup while identifying and fixing sources Monthly — once at full enforcement, regular check for new unauthorised sources Immediately — if you receive an alert about a sudden spike in DMARC failures