How to Read DMARC Reports
What is a DMARC aggregate report?
Every mail provider that receives email claiming to be from your domain sends you a daily summary of what they saw. This summary is called an aggregate report. It arrives as an email attachment, usually a zip or gzip file containing XML.
The report covers a 24-hour period and includes: which IP addresses sent email as your domain, how many messages came from each IP, whether those messages passed or failed SPF and DKIM, and what action was taken (none, quarantine, reject).
Report structure
A DMARC aggregate report has two main sections:
Report metadata
The top of the report identifies who sent it and what period it covers:
- org_name: The organization that generated the report (e.g., "google.com", "outlook.com").
- report_id: A unique identifier for this report.
- date_range: The start and end timestamps (Unix epoch) for the reporting period.
Records (rows)
Each record represents a group of messages that share the same source IP, authentication results, and disposition. Key fields:
- source_ip: The IP address that sent the messages. This is the single most important field. It tells you who is actually sending email as your domain.
- count: How many messages this record represents. A count of 500 from a Google IP is normal. A count of 500 from an unknown IP is a problem.
- disposition: What the receiving server did with the messages:
none(delivered normally),quarantine(sent to spam), orreject(blocked). - dkim_result: Whether DKIM authentication passed or failed for this group of messages.
- spf_result: Whether SPF authentication passed or failed.
- header_from: The domain in the From header of the email. This should match your domain.
What to look for
Unknown source IPs
If you see a source IP that does not belong to a service you use, someone may be spoofing your domain. Look up the IP using a WHOIS service to identify the owner. Common legitimate senders include Google (mail servers), Microsoft (Outlook/Exchange), Amazon SES, Postmark, SendGrid, and Mailchimp.
SPF or DKIM failures on legitimate senders
If a known sender (e.g., your company's Google Workspace) is failing SPF or DKIM, something is misconfigured. Common causes:
- SPF record does not include the sender's IP range.
- DKIM signing is not enabled or the DNS key record is missing.
- Email is being forwarded through a server that breaks SPF alignment.
High message counts from unknown sources
A large count value from an unrecognized IP is a strong indicator of domain spoofing. This is exactly the kind of signal DMARC reporting is designed to surface.
Why you should not read these manually
A single aggregate report can contain dozens of records. If you have multiple domains, you receive reports from every provider, every day. The volume of XML makes manual review impractical. AcornDMARC parses every report automatically, extracts the records, and presents the data in a dashboard with pass rates, sender identification, and issue detection.
Frequently asked questions
How often are DMARC aggregate reports sent?
Most major providers (Google, Microsoft, Yahoo) send aggregate reports daily. Some smaller providers send weekly. Reports cover a fixed time window, usually 24 hours.
Why are DMARC reports in XML format?
The DMARC specification (RFC 7489) defines the aggregate report format as XML. This makes reports machine-readable but difficult for humans to parse manually. Tools like AcornDMARC exist specifically to parse this XML and present it in a usable format.
What does disposition 'none' mean in a DMARC report?
Disposition 'none' means the receiving server delivered the email normally without quarantining or rejecting it. This happens when your DMARC policy is set to p=none (monitor mode), or when the message passed authentication.