How to Interpret DMARC Reports

DMARC reports provide visibility into who is sending email on behalf of your domain and whether authentication checks are passing or failing.

They are a critical tool when moving from monitoring with p=none toward stronger enforcement policies.

Without reviewing DMARC reports, it is difficult to safely enforce policies such as quarantine or reject.

DMARC defines two main types of reports: aggregate (RUA) and forensic (RUF).

Aggregate reports provide summaries of authentication results from receiving servers, typically grouped by source IP and sending system.

Forensic reports provide detailed information about individual message failures, although they are less commonly used.

Most DMARC analysis focuses on aggregate reports due to their broader visibility and lower volume.

• Legitimate sending services that are not properly configured
• Third-party platforms sending on your behalf without alignment
• Spoofing attempts from unauthorised sources
• Forwarding behaviour that breaks authentication
• Unexpected infrastructure or routing paths

DMARC does not just check whether SPF or DKIM pass. It checks whether they are aligned with the domain in the From header.

Alignment means the authenticated domain matches or is a subdomain of the visible From domain.

A message can pass SPF but still fail DMARC if alignment is not satisfied.

• SPF
• DKIM

To properly interpret DMARC reports, you must understand both SPF and DKIM alignment behaviour.

• Group results by sending source such as IP or service
• Identify known legitimate senders such as Microsoft 365 or marketing platforms
• Check whether SPF or DKIM is passing and aligned
• Investigate any failing sources to determine legitimacy
• Distinguish between misconfiguration and malicious activity
• Track trends over time rather than relying on a single report

Legitimate senders typically correspond to known services such as email platforms, CRM systems, or internal infrastructure.

If a known service appears but is failing DMARC, it usually indicates a configuration issue rather than malicious activity.

Unknown sources, especially those consistently failing authentication, may represent spoofing attempts.

Careful analysis is required because not all failures are attacks, and not all passes are trustworthy without context.

• Ignoring DMARC reports after enabling monitoring
• Moving to reject without understanding legitimate senders
• Assuming every failure is malicious rather than misconfigured
• Focusing only on SPF and ignoring DKIM alignment
• Not accounting for forwarding scenarios that break SPF

Once all legitimate senders are identified and correctly configured to pass DMARC alignment, you can begin moving toward enforcement.

A typical progression is p=none to p=quarantine to p=reject.

This should be done gradually, monitoring reports at each stage to ensure no legitimate traffic is impacted.

Jumping directly to reject without proper analysis can result in valid email being blocked.

DMARC reports are typically delivered as XML files, which can be difficult to interpret manually.

Using analysis tools can help visualise sending sources, authentication results, and trends.

• DMARC Checker

DNS tools can help validate DMARC records alongside SPF and DKIM configuration, while dedicated DMARC parsers can simplify report analysis.

DMARC depends on correctly configured underlying authentication mechanisms.

• How to check an SPF record
• How to check a DKIM record
• How to fix DMARC failures
• Reverse DNS
• MTA-STS

You should ensure SPF is valid and within lookup limits and DKIM selectors are correctly published. Reviewing reverse DNS and MTA-STS also helps build a complete email security posture.

If you want to validate this topic in practice, these DNS Pro tools are the fastest next step.

• DMARC Checker
• Email Security Check
• Email Header Analysis
• How to Fix DMARC Failures