Once your DMARC record is live, you’ll start receiving something called aggregate reports, i.e., daily data files from mailbox providers that show how your domain is being used to send email.
At first glance, these XML files can look overwhelming. But once you understand what’s inside them, you can use that information to spot unauthorized senders, fix configuration issues, and tighten your DMARC policy with confidence.
DMARC aggregate reports, which are daily summaries of DMARC activity, are different from DMARC forensic reports, which are real-time notifications focusing on specific issues. To learn more about forensic reports, see our full guide to DMARC forensic reports.
DMARC aggregate reports (also known as RUA reports) summarize how the receiving mail servers handled messages from your domain during a given day.
Each report includes:
They don’t include message content, only metadata, but that’s more than enough to understand who’s sending on your behalf and whether those messages are properly authenticated.
DMARC reports give you visibility into three critical things:
Without reviewing these reports, it’s impossible to know whether your DMARC setup is actually doing its job.
For a complete overview and roadmap of DMARC implementation, see our DMARC monitoring and compliance guide.
You don’t need to read raw XML files line by line. Here's what to do and what to look for:
Mailbox providers send aggregate reports to the email address listed in your DMARC record’s rua tag, for example:
You can open these files manually in a text or spreadsheet editor, or convert them into readable tables using free DMARC report viewers. If you prefer, you can also use an automated tool that collects and visualizes them, but it’s worth understanding what the raw data looks like first.
Look for these elements in each record:
When both SPF and DKIM pass and align, the email is fully authenticated.
Check which IPs or domains belong to services you actually use, such as your marketing automation platform or helpdesk software. If one of them fails SPF or DKIM, update that system’s DNS or key settings.
Unknown IPs that consistently fail authentication are often signs of spoofing attempts. If you see these, confirm that they don’t belong to any legitimate vendor, then consider adjusting your DMARC policy to block them.
Over time, your reports should show fewer authentication failures and a higher percentage of aligned messages. Once you’re confident all legitimate senders are covered, you can safely change your DMARC policy from none to quarantine, and eventually to reject.
Understanding these patterns helps you separate real threats from harmless technical noise.
If you manage multiple domains or receive many reports per day, reading XML manually quickly becomes unmanageable.
That’s where DMARC reporting platforms like DMARCeye can help. They collect and visualize data from all your reports, giving you an organized view of sending sources, pass rates, and trends over time.
You don’t need one to get started, but as your DMARC program matures, automation saves time and helps you stay proactive.
Get a free trial of DMARCeye today and start protecting your email domain.