How to Read DMARC Aggregate Reports
Learn how to interpret DMARC reports to spot spoofing attempts, identify misconfigured senders, and track authentication results step by step.
Once your DMARC record is live, you’ll start receiving something called aggregate reports, i.e., daily data files from mailbox providers that show how your domain is being used to send email.
At first glance, these XML files can look overwhelming. But once you understand what’s inside them, you can use that information to spot unauthorized senders, fix configuration issues, and tighten your DMARC policy with confidence.
DMARC aggregate reports, which are daily summaries of DMARC activity, are different from DMARC forensic reports, which are real-time notifications focusing on specific issues. To learn more about forensic reports, see our full guide to DMARC forensic reports.
What Are DMARC Aggregate Reports?
DMARC aggregate reports (also known as RUA reports) summarize how the receiving mail servers handled messages from your domain during a given day.
Each report includes:
- Sending sources: The IPs and hostnames that sent messages using your domain.
- Authentication results: Whether each message passed SPF and DKIM checks.
- Alignment results: Whether those checks align with your domain (a requirement for DMARC).
- Message counts: How many messages passed, failed, or were quarantined.
They don’t include message content, only metadata, but that’s more than enough to understand who’s sending on your behalf and whether those messages are properly authenticated.
What DMARC Reports Help You Do
DMARC reports give you visibility into three critical things:
- Which services are sending legitimate mail for you. You’ll see all your real senders: marketing platforms, ticketing systems, CRMs, and so on.
- Who’s pretending to send from your domain. You can spot unauthorized IPs and domains that fail authentication and might be spoofing you.
- How well your authentication setup is working. You can track progress as you fine-tune SPF and DKIM and prepare to enforce your DMARC policy.
Without reviewing these reports, it’s impossible to know whether your DMARC setup is actually doing its job.
For a complete overview and roadmap of DMARC implementation, see our DMARC monitoring and compliance guide.
How to Read a DMARC Aggregate Report
You don’t need to read raw XML files line by line. Here's what to do and what to look for:
1. Locate the Reports
Mailbox providers send aggregate reports to the email address listed in your DMARC record’s rua tag, for example:
2. Open or Convert the Data
You can open these files manually in a text or spreadsheet editor, or convert them into readable tables using free DMARC report viewers. If you prefer, you can also use an automated tool that collects and visualizes them, but it’s worth understanding what the raw data looks like first.
3. Review the Key Fields
Look for these elements in each record:
- Source IP: The sender’s IP address.
- Disposition: What the receiver did (none, quarantine, or reject).
- SPF/DKIM result: Whether each passed or failed.
- Alignment: Whether the result matches your domain.
When both SPF and DKIM pass and align, the email is fully authenticated.
4. Identify Legitimate Senders
Check which IPs or domains belong to services you actually use, such as your marketing automation platform or helpdesk software. If one of them fails SPF or DKIM, update that system’s DNS or key settings.
5. Spot Unauthorized Activity
Unknown IPs that consistently fail authentication are often signs of spoofing attempts. If you see these, confirm that they don’t belong to any legitimate vendor, then consider adjusting your DMARC policy to block them.
6. Track Your Progress
Over time, your reports should show fewer authentication failures and a higher percentage of aligned messages. Once you’re confident all legitimate senders are covered, you can safely change your DMARC policy from none to quarantine, and eventually to reject.
Common Patterns to Watch For
- Consistent SPF or DKIM failures from a known provider usually mean a configuration issue.
- Forwarded messages may fail SPF but still pass DKIM.
- Third-party tools that send on your behalf need explicit SPF/DKIM setup or they’ll appear as failures.
Understanding these patterns helps you separate real threats from harmless technical noise.
DMARCeye: Making the Process Easier
If you manage multiple domains or receive many reports per day, reading XML manually quickly becomes unmanageable.
That’s where DMARC reporting platforms like DMARCeye can help. They collect and visualize data from all your reports, giving you an organized view of sending sources, pass rates, and trends over time.
You don’t need one to get started, but as your DMARC program matures, automation saves time and helps you stay proactive.
Get a free trial of DMARCeye today and start protecting your email domain.