Glossary Home

DMARC Report

What is a DMARC report?

DMARC report is an email sent by email service providers to the domain owners/ admins who have published a DMARC policy for their domain. DMARC reports provide details of the emails sent from your domain, and the authentication status of SPF, DKIM and DMARC for each email.

This page provides an overview of DMARC report types, their importance and more.

• Types of DMARC reports
  • Aggregate report
  • Forensic report
• Aggregate report vs Forensic report
• Importance of DMARC report
• How DMARC report works
• How to enable DMARC report
• Sample DMARC report
• How to read a DMARC report

Types of DMARC reports

There are two types of DMARC reports, aggregate reports and forensic reports. These will be sent to the email addresses added against the RUA and RUF fields when you publish a DMARC policy for your domain.

What is a DMARC aggregate report?

DMARC aggregate report is an XML file sent to email domain administrators as an email attachment. It provides a summary of SPF, DKIM and DMARC authentication statuses. Aggregate reports allow you to analyze these email authentication results and take necessary precautions to protect the reputation of your business.

Information available in a DMARC aggregate report are as follows:

• Name of the reporter who provided the report
• Date range for which the report was generated
• DMARC policy of the domain evaluated
• SPF/DKIM pass or fail status
• SPF/DKIM alignment
• Sender's IP address

What is a DMARC forensic report?

DMARC forensic reports are nothing but failure reports. These reports will be sent as an email as and when a message fails the DMARC policy. A forensic report will be sent for each rejected email, thereby assisting admins to troubleshoot the reason for the email failure.

Some of the information available in a DMARC forensic report are given below:

• Email subject
• Email received time
• Email header information
• Email content
• SPF, DKIM and DMARC authentication results
• Sender address
• Email delivery status
• DMARC policy applied (reject, quarantine or accept).

Differences between DMARC aggregate and forensic report

The table given below depicts the key differences between the two DMARC reports:

Why DMARC report is important?

DMARC reports help to secure your organization's domain from being spoofed and also minimize the emails from your domain from landing in the recipient's Spam folder. It provides timely feedback to the email domain administrators about the emails sent from your domain that have passed or failed the email security protocols. Some of the benefits of DMARC reports are as follows:

Protection against phishing and spoofing

Cybercriminals can misuse your domain and trick users by sending malicious emails to a huge recipient list. Analyzing the DMARC report helps to differentiate whether the email is sent from a genuine source or a phishing attempt done by a spammer.

Increase email deliverability

DMARC reports allow you to address SPF and DKIM authentication issues that could cause your emails from being marked as Spam. You can improve your domain reputation and email deliverability by resolving the authentication issues if any.

Track email authentication status

With DMARC reports, domain admins can ensure that the emails sent using their domain are from trusted email sources and prevent the possibility of misuse.

Comply with regulatory norms

With the increase in business email communications, most regulatory authorities mandate organizations to comply with email authentication protocols such as DMARC to prevent spoofed emails from being sent using your organization's domains. The copies of DMARC reports can be used as evidence that your organization meets the industry-specific regulatory norms.

How does DMARC report work?

If you are a domain owner, the DMARC reports related to your domain will be sent by the email providers which receive an email from your domain.

When an email is sent from your domain (genuine or spoofed email), the receiving server validates the DMARC policy and generates a report. This process repeats for all the emails sent from your domain and will be done by all the email servers. A consolidated report will be sent to the email address registered under the RUA field of your DMARC record.

Once you receive the report, you can analyze it and identify the issues due to which email delivery fails, and spoofing attempts made using your domain name.

How to enable DMARC reports?

As an administrator, you should publish a DMARC record and enter the desired email address in the RUA field. Once you finalize the DMARC policy, add it as a TXT record in your domain provider's DNS manager to start receiving aggregate DMARC reports.

What does a DMARC report look like?

The designated administrators will receive raw DMARC reports as an XML file which contains the metadata with one or more records. Below is a summary of a DMARC report:

• Count of emails sent using a single IP address during the selected date range.
• Authentication status of SPF, DKIM and DMARC for each email.
• Action taken by the receiving email server, such as accepting or rejecting the email.

Sample DMARC report

A typical DMARC report (XML) is shown below:

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <version>1.0</version>
  <report_metadata>
    <org_name>reporting_org_name</org_name>
    <email>reporter@domain.com</email>
    <extra_contact_info></extra_contact_info>
    <report_id>0000123456</report_id>
    <date_range>
      <begin>1234123489</begin>
      <end>1234123499</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>domain.com</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>reject</p>
    <sp>reject</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>191.XX.XX.XXX</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>domain.com</header_from>
      <envelope_from>sender.domain.com</envelope_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>domain.com</domain>
        <selector>12345</selector>
        <result>pass</result>
      </dkim>
      <spf>
        <domain>sender.domain.com</domain>
        <scope>xxxxx</scope>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
</feedback>

How to read a DMARC report?

Given the quantum of emails sent these days, it is a difficult task to read the lengthy, raw XML data and not everyone will be able to decode it. Certain email providers have a built-in DMARC reports section which will break down the raw data and present it in a user-friendly form. With this human-readable version, even those who cannot read an XML report can proactively take necessary steps to improve their email deliverability and domain reputation.

Monitoring DMARC report

Now that you are aware of how DMARC reports work, publish a DMARC policy for your domain and enable DMARC reports. Implementing DMARC reports is just the first step in protecting your organization's domain reputation. 

Your responsibility as an email domain administrator owner is an ongoing process. Some of the follow-up actions for an administrator are:

• Monitor the DMARC reports regularly.
• Analyze the reports diligently and take appropriate corrective actions to safeguard your domain from misuse.
• Review all the sending IP addresses in the DMARC report.
• Validate the email sources, especially the email services other than your primary email provider.
• Review the on-premise email services, if deployed.