How to Read DMARC Reports?
How to enable DMARC reporting for your domains?
To configure DMARC reporting for your domain you need to:
Create a DMARC record for your domain.
In the rua tag, enter the email address where you want your aggregate reports sent.
In the ruf tag, enter the email address where you want your failure reports (historically called forensic reports) sent.
Once you have filled in the other tags and generated the record, publish the resulting TXT record in your DNS.
Note: Failure reports are not sent by all receivers. Most major mailbox providers limit or disable them, so aggregate reports are your most reliable source.
How to Read DMARC Reports: Reading DMARC Raw Reports
Your DMARC reports, also called raw reports, provide the data about your domain's mail activity that you need to protect against spoofing and fix authentication issues. Aggregate reports are available in XML format and are usually sent by email. There are two types:
DMARC aggregate (RUA) report, governed by RFC 9990
DMARC failure (RUF) report, governed by RFC 9991
You can visit PowerDMARC's knowledge base to learn more about each and how to configure them.
Reading raw aggregate reports can be a hassle for a non-technical person. Here is an example of a raw report, reflecting the RFC 9990 format:
<?xml version="1.0" encoding="UTF-8" ?> <feedback> <report_metadata> <org_name>google.com</org_name> <email>[email protected]</email> <extra_contact_info>http://google.com/dmarc/support</extra_contact_info> <report_id>8293631894893125362</report_id> <date_range> <begin>1234453590</begin> <end>1234573120</end> </date_range> </report_metadata> <policy_published> <domain>yourdomain.com</domain> <adkim>r</adkim> <aspf>r</aspf> <p>none</p> <sp>none</sp> <np>none</np> <discovery_method>treewalk</discovery_method> </policy_published> <record> <row> <source_ip>203.0.113.50</source_ip> <count>2</count> <policy_evaluated> <disposition>none</disposition> <dkim>fail</dkim> <spf>pass</spf> </policy_evaluated> </row> <identifiers> <header_from>yourdomain.com</header_from> </identifiers> <auth_results> <dkim> <domain>yourdomain.com</domain> <selector>selector1</selector> <result>fail</result> <human_result></human_result> </dkim> <spf> <domain>yourdomain.com</domain> <result>pass</result> </spf> </auth_results> </record> </feedback>
|
Breaking Down a DMARC Raw Report
Here is what each section means.
The reporting organization, that is, the receiver that generated and sent the report (not your own ISP or email provider):
<org_name>google.com</org_name> <email>[email protected]</email> <extra_contact_info>http://google.com/dmarc/support</extra_contact_info> |
The report ID:
<report_id>8293631894893125362</report_id> |
The reporting date range, in epoch seconds (begin is earlier than end):
<date_range> <begin>1234453590</begin> <end>1234573120</end> </date_range> |
Your DMARC record, as the receiver retrieved it from DNS. Under RFC 9990, this section now also includes np (the non-existent subdomain policy) and discovery_method, which shows whether the receiver found your policy via the legacy Public Suffix List (psl) or the new DNS Tree Walk (treewalk):
<policy_published> <domain>yourdomain.com</domain> <adkim>r</adkim> <aspf>r</aspf> <p>none</p> <sp>none</sp> <np>none</np> <discovery_method>treewalk</discovery_method> </policy_published> |
The IP address of the sending source:
<source_ip>203.0.113.50</source_ip> |
The evaluated result for this source (the disposition applied, plus the DKIM and SPF outcomes):
<policy_evaluated> <disposition>none</disposition> <dkim>fail</dkim> <spf>pass</spf> </policy_evaluated> |
The From: domain:
<header_from>yourdomain.com</header_from> |
The DKIM authentication result. Under RFC 9990, the DKIM selector is required, which helps you identify exactly which signing key produced the result, useful during key rotation:
<dkim> <domain>yourdomain.com</domain> <selector>selector1</selector> <result>fail</result> </dkim> |
The SPF authentication result:
<spf> <domain>yourdomain.com</domain> <result>pass</result> </spf> |
Standard Email Protocols: SMTP, POP3 & IMAP Free4 m- What is Email Security? Free4 m
- Email Security Practices Free4 m
- Building an Email Security Compliance Model Free5 m
- Corporate Email Security Checklist Free3 m 30 s
- What is the difference between Inbound email security and outbound email security? Free4 m
- What is Information Security? Free4 m
- Zero Trust Security Model Free3 m
- What is a DNS Lookup? Free4 m
- Understanding the 10 DNS Lookup Limit for SPF Records Free3 m
- SPF Void Lookups Explained Free2 m
- Creating and Optimizing SPF records for your own domain Free4 m
Video Free2 m- What is SPF Permerror and How to Fix It Free7 m
- Video Free2 m
- SPF Flattening Free5 m
- SPF Macros Free9 m
- Video Free2 m
- What is SPF Alignment? Free3 m
- How to Set Up Microsoft Office 365 SPF record? Free4 m
- How to Set Up Google Workspace SPF Record? Free2 m
- How to Set Up MailChimp SPF Record? Free3 m
- How to Set Up SendGrid SPF Record? Free2 m
- How to Set Up Salesforce SPF Record? Free3 m
- How to Setup Zoho Mail SPF Record? Free2 m
- What is DKIM Alignment? Free3 m
- DKIM Domain Alignment Failures Free6 m
- How to Set Up DKIM for Microsoft Office 365? Free4 m
- How to Set Up DKIM for Google Workspace? Free3 m
- How to Set Up DKIM for MailChimp? Free4 m
- How to Set Up DKIM for SendGrid? Free3 m
- How to Set Up DKIM for Salesforce? Free3 m
- How to Set Up DKIM for Zoho Mail? Free3 m
- DMARC RFC 9989, 9990 and 9991 Free5 m
- What is DMARC Compliance? Free2 m
- DMARC Compliance Requirements Free2 m
- The Benefits of DMARC Free2 m
- DMARC Configuring Free3 m
- Achieving DMARC Enforcement Free2 m
- DMARC Vs Antispam Solutions Free2 m
- DMARC Identifier Alignment Free2 m
- DMARC sp Tag Exceptions & Uses Free1 m
- Configuring DMARC without DKIM Free3 m
- Configuring DMARC without SPF Free2 m
- DMARC Aggregate Report Views Free3 m
- Video - PowerDMARC Aggregate Reports Free2 m 13 s
- DMARC Forensic Report Views Free2 m
- Video - PowerDMARC Forensic Reports Free0 s
- DMARC Forensic PGP Encryption and Decryption Free2 m
- TLS Report Views Free3 m
- Video - PowerDMARC TLS Reports Free0 s
- PDF/CSV Reports Free2 m
- Video - PowerDMARC PDF/CSV Reports Free1 m 1 s