DMARC Reports Explained: How to Read Them and Fix What They Reveal

You did the responsible thing and published a DMARC record — and now your inbox is filling with daily attachments full of dense XML you can't read. Most people set up DMARC, see the reports, and quietly ignore them. That's a mistake: those reports are the single best view you'll ever get of who is sending email using your domain, including impersonators.

If you haven't published a DMARC record yet, start with our SPF, DKIM & DMARC guide first — this post assumes you already have rua= reporting turned on.

The two kinds of DMARC report

• Aggregate reports (RUA). Sent daily by mailbox providers, these summarize how much mail claiming to be from your domain they saw, from which IP addresses, and whether it passed SPF and DKIM. This is the one that matters most.
• Forensic reports (RUF). Per-message samples of mail that failed. Far fewer providers send these, and they raise privacy concerns, so most senders rely on aggregate reports alone.

What the XML is actually telling you

Strip away the markup and every aggregate report answers a few simple questions for each source sending as your domain:

• Which IP/server sent mail claiming to be you
• How many messages came from it
• Did SPF pass, and did it align with your "From" domain
• Did DKIM pass, and did it align
• What the receiver did based on your policy

The key word is alignment. A message can pass raw SPF or DKIM but still fail DMARC if the authenticated domain doesn't match the domain in the visible "From" address. Reports that show "pass" on authentication but "fail" on alignment are the most common source of confusion.

Reading them without drowning in XML

You don't parse these by hand. Point your rua= address at a DMARC report processor (many offer a free tier) that ingests the XML and renders it as a dashboard: sources grouped, pass/fail rates charted, unknown senders flagged. Once it's visual, three patterns jump out:

• Known senders passing. Your email provider, marketing tool, and support desk all showing green — good.
• Known senders failing. A legitimate tool you forgot to authenticate. Add it to SPF or enable DKIM for it, and the failures clear.
• Unknown senders. IPs you don't recognize sending as your domain — often spoofers or a compromised account. This is exactly what DMARC was built to expose.

From monitoring to enforcement

The whole point of reading reports is to safely tighten your policy. Start at p=none and watch until every legitimate sender passes and aligns. Then move to p=quarantine (failing mail goes to spam) and finally p=reject (failing mail is blocked outright). At p=reject, spoofers can no longer deliver mail in your name — but only once you're confident your real senders all pass, which is exactly what the reports confirm. Jump to reject too early and you'll block your own email.

The gap reports leave open

DMARC reports tell you about authentication and spoofing — but they say nothing about whether you've been blacklisted, which can tank delivery even when every DMARC check passes. They're also lagging: you're reading yesterday's mail. To see your full sending health in one place right now, run your domain through the free email checker, which covers SPF, DKIM, DMARC, and blacklist status together.

And because all of it drifts — a new tool breaks alignment, a key rotates, a domain gets listed — Zeqo Mail re-checks your domain every day and alerts you the moment something changes. For the bigger picture on why mail still misses the inbox, see the real reasons email lands in spam.