Back to Course
Լight modeDark mode

DMARC Aggregate Report Views

What are DMARC Aggregate Reports (RUA)? 

As a domain owner, when you have DMARC implemented for your domain, what you need is an extensive reporting mechanism that will help you gain complete visibility into your email ecosystem. That is exactly what aggregate reports do. They provide information on the sending source, sending domain, the sender’s IP address, the volume of emails sent, the percentage of DMARC-compliant emails and the DKIM and SPF authentication results.  

How often are DMARC Aggregate Reports generated?

DMARC aggregate reports are generated once a day, on a daily basis. While a typical DMARC aggregate report is generated in XML file format that can be quite complex to read for a non-technical person, PowerDMARC simplifies these aggregate reports in simple, readable tabular format for ease of understanding.

What information do DMARC Aggregate Reports contain? 

A raw DMARC aggregate report contains the following information: 

Information on the Reporting organization (i.e the email receiver that generated and sent this report),such as the Report ID number, the Reporting Organisational Name, the reporting organization’s sending address, additional contact information, and the beginning and ending date range (in an epoch format)

Published DMARC DNS record description: the sending domain, SPF and DKIM alignment settings, the domain and subdomain policy mode and the percentage of failing emails to which the policy is to  be applied (pct) 

 

the DKIM/SPF authentication results summary

How is this information presented on PowerDMARC’s aggregate views?

PowerDMARC extracts information from your XML files and converts them into simple, readable charts and tables. This reflects the authentication result overview, percentage and volume of DMARC-compliant emails and information on the sending source and sending IP address more efficiently, as shown below: 

What do the SPF/DKIM results mean? 

The SPF/DKIM authentication results give you a summarized overview of the authentication failures and alignment failures for your configured DMARC authentication protocols (SPF and/or DKIM). The shade card for the authentication results is given below for your understanding: 

SPF aligned (green) : the domain in the Return-path header and the From header are a match 

SPF not aligned, pass (yellow) :  "Not aligned, pass" means the SPF authentication passed, but the mailfrom/d= domains do not match the “from” domain.

SPF Failed (red) : During the DMARC check, if "Envelope From" domain does not match with the actual sender's domain ( Organizational domain ),so SPF alignment will fail.

DKIM aligned (green) : DKIM alignment is when your email's parent domain of the DKIM signing domain matches the Header From domain.

DKIM not aligned, pass (yellow) : "Not aligned, pass" means the DKIM authentication passed, but the mailfrom/d= domains do not match the “from” domain.

DKIM Failed (red) : During the DMARC check, DKIM fails when your email's parent domain of the DKIM signing domain does not match the Header From domain.

What are the different views via which PowerDMARC displays Aggregate reports?

PowerDMARC extracts information from your XML files and converts them into simple, readable charts and tables available in 7 different views: 

Per sending source

Per result 

Per organization

Per host

Detailed stats 

Geo location report

Per country 

What are the terms displayed in the cascaded table aggregate report views?

If you go to your DMARC aggregate reports and cascade the table, you will have the following information at your disposal:

Sender Hostname: The sending email server’s hostname

Source IP: The IP address of the email sender 

Volume: The volume of emails sent from the specific domain via the indicated sender host

DMARC Compliance: The percentage of emails that are DMARC compliant ( SPF and/or DKIM aligned) 

DKIM verification: Percentage of emails that have passed/failed DKIM authentication and alignment

SPF verification: Percentage of emails that have passed/failed SPF authentication and alignment 

 

View 1: DMARC Aggregate Reports Per Sending Source

How are the results sorted on this page? 

Results on this page are sorted based on the domain’s email sending sources. 

What are the different sections in this page and what do they mean?

DMARC-compatible sources : Sources that are sending DMARC-compliant emails on behalf of a domain 

 

 

In this example, the sending source is Google and the “From” Domain is app.powerdmarc.com. This means that emails were sent from Google’s mail servers on behalf of the domain app.powerdmarc.com. Since those emails are SPF and DKIM aligned, they are DMARC compliant and are therefore presented in the DMARC compatible sources section.  

Forwarded: This sections contains emails that have been forwarded

In this example, the sending source is Google and the volume of emails forwarded from this domain is 1. Although the forwarded email was found not to be DMARC compliant and failed DKIM authentication, and SPF alignment, the receiver was able to identify it as a forwarded email and therefore a policy of none was applied. 

Failed: This section contains information on emails that have failed authentication checks. 

In this example, the sending source is MailChannels and the volume of emails sent from this domain that has failed DMARC is 1. The DKIM and SPF verification for this email have both failed as shown above. 

When should I use this page view?

This page is best used when trying to investigate the SPF/DKIM configuration setting of your email sending services/sources. For example, if you are using Gsuite/Google WorkSpace to send emails on behalf of your domain and you want to inspect the correctness of the SPF/DKIM settings, this would be the best view. 

View 2: DMARC Aggregate Reports Per Result 

How are results sorted on this page?

Results on this page are sorted based on the SPF/DKIM alignment and/or authentication results. 

What are the different sections on this page and what do they mean?

DMARC correct - DKIM or SPF aligned 

 

This section shows the volume of emails that are DMARC compliant for a specific domain or all registered domains (which have either SPF aligned, DKIM aligned or both aligned). Cascading each row reveals further information such as the sending hostname, IP address, volume, status of DMARC compliance and SPF and DKIM verification results. 

Authenticated - DKIM or SPF valid

This section shows the amount (%) and volume of emails that have been authenticated by either SPF or DKIM but are not aligned. Cascading each row reveals further information such as the sending hostname, IP address, volume, status of DMARC compliance and SPF and DKIM verification results. 

Invalid flows - DKIM and SPF invalid

This section shows the amount (%) and volume of emails that have failed SPF and/or DKIM authentication checks. Cascading each row reveals further information such as the sender hostname, IP address, volume, status of DMARC compliance and SPF and DKIM verification results. 

When should I use this page?

This page is best used when trying to look at emails that failed or passed SPF/DKIM authentication/alignment at a glance without checking for each domain manually. 

View 3: DMARC Aggregate Reports Per Organization

How are results sorted on this page?

Results on this page are sorted based on every reporting organization that has received emails from your domains hence generating and sending DMARC reports to us.

What are the different sections on this page and what do they mean?

This page contains a single section, that displays all the reporting organizations for your specified domain or all domains. It contains the following information: 

Reporting organization’s name 

Volume of emails sent 

% of DMARC complaint emails 

DKIM verification results

SPF verification results 

 

Each row can be further cascaded to reveal  sender hostnames and IP addresses of email sources, volume, status of DMARC compliance and SPF and DKIM verification results.

When should I use this page?

It is recommended that you use this page view when you want to investigate the SPF and DKIM authentication verdicts applied to emails sent for your domains to particular email receivers (reporting organizations) such as google.com, zoho.com, etc.

View 4: DMARC Aggregate Reports Per Host

How are results sorted on this page?

Results on this page are sorted based on every email sending host used by all your sending sources.

What are the different sections on this page and what do they mean?

This page contains a single section that displays all the sender hostnames for the outbound emails sent from your specified domain or all your registered domains. It contains the following information: 

Overview of Percentage of emails that are DMARC compliant, for which SPF and DKIM valid and for which SPF and DKIM are invalid: 

 

The sender hostnames for the sending sources 

The volume of emails sent by each of these hosts 

Percentage of emails that are DMARC compliant

DKIM verification result

SPF verification result

Each row can be further cascaded to reveal IP addresses of email sources, volume, and status of DMARC as shown below: 

When should I use this page?

You can use this page when you want to view your DMARC aggregate reports based on every email sending host used by your sending sources, directly, without having to cascade the rows underneath your sending sources to view their sender hostnames. 

View 5: Detailed Stats

How are results sorted on this page?

Results on this page are sorted based on detailed stats on every email sending hostname, IP address, reporting organizations and authentication results across a single pane of glass.

What are the different sections on this page and what do they mean?

On this page there is a single continuous section, results for which can be sorted based on the domain and date range, as well as individual sender hostnames, IP address and organizational names can be searched up for more filtered results. Every DMARC aggregate view page has a search box wherein you can filter and view results for a particular sending source or email sending hostnames. 

DMARC aggregate reports on this page contain the following information: 

The sender hostnames

The sender’s IP address

Reporting organizational name

Volume of emails sent 

Percentage of DMARC compliant emails 

DKIM/SPF verification status

Each row can be cascaded to reveal the From domain, applied policy mode, status of DMARC compliance, and DKIM/SPF alignment information. 

When should I use this page?

You can use this page when you want to view your DMARC aggregate reports in detail with the hostnames, IP addresses and organizational names all available on across a single pane of glass. This view is best for detailed inspection and investigation of your sending sources’ IP addresses, hosts and reporting organizations. 

View 6: Geo Location Report

How are results sorted on this page?

Results on this page are sorted based on the geographical locations of your email sending sources and their respective IP addresses. 

What are the different sections on this page and what do they mean?

The primary section on this page consists of a world map on which you can view specific locations marked with coloured pointers depicting the geographical locations of your registered email domains’ respective sending sources or IP addresses. There is a shade card provided to segregate the degree of DMARC compliance for outgoing emails sent from specific regions on the globe. 

DMARC compliant emails (green) 

Emails for which DMARC failed (blue)

Domains for which threats were detected (red)  

You can click on the drop-down arrow to download ( as PNG, JPG, SVG or PDF),annotate or print this data. 

The section at the bottom of the page provides a list of countries (example US, Japan, Ireland) and their successive volume of DMARC complaint emails that were sent from sending sources originating from these locations on behalf of your registered emails domains. It also provides insights on the Top 10 countries for which emails failed DMARC and threats were detected. 

 

When should I use this page?

You can use this page when you want to view your DMARC aggregate reports based on the geo-locations of your sender IP addresses and sending sources for your registered domains and inspect which specific locations failed DMARC and threats were detected for them so that you can respond to the errors faster. 

View 7: DMARC Aggregate Reports Per Country 

How are results sorted on this page?

Results on this page are sorted to provide complete visibility of the locations of all your sending sources. 

What are the different sections on this page and what do they mean?

This page contains a continuous section with aggregate reports sorted displaying the country of location of the sending sources for the registered domains, their corresponding Ip addresses and sender hostnames, as well the DKIM/SPF authentication results. 

Each row can be cascaded to reveal the From domain, applied policy mode, status of DMARC compliance, and DKIM/SPF alignment information. 

When should I use this page?

You can use this page when you want to view DMARC aggregate reports with enhanced visibility into the country of origin of your sending sources, that are sending emails on behalf of your domain, alongside relevant information on the sender hostname, IP address and percentage of emails that are DKIM/SPF compliant. 

Course content
Advanced Email Authentication Course