How to read a DMARC report (the right way)

DMARC (Domain-based Message Authentication, Reporting, and Conformance) reports monitor the health of your email authentication setup. These reports provide detailed insights into which emails pass or fail DMARC to help you find potential vulnerabilities and unauthorized email activities.

However, reading these reports can feel like reading a technical manual in a foreign language. They’re notoriously complex and overwhelming at first glance, and you’ll need a bit of hand-holding to know what to look at.

Fortunately, Valimail can help. 

We eat, sleep, and breathe DMARC, and we can help you learn how to read and understand these reports. This article will teach you what DMARC reports are, how to extract valuable information from them, and how to use those insights to improve your email security.

What is a DMARC report?

A DMARC report is a detailed record of email authentication results sent to domain owners. These reports help you understand how recipient servers handle your domain’s email and whether the emails pass or fail authentication checks. DMARC reports are your eyes and ears in the email authentication world, providing insights into the security and legitimacy of your email traffic.

There are two types of DMARC reports:

1. Aggregate reports
2. Forensic reports

DMARC aggregate reports (RUA)

Aggregate reports (also known as RUA reports) provide summarized data about email authentication results for your domain over a specific period. These reports include the emails sent, the emails that passed or failed SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) checks, and how these emails were handled based on your DMARC policy.

You’ll typically receive aggregate reports once per day. They help you monitor trends and identify potential issues in your email authentication setup without overwhelming you with too much detail.

DMARC forensic reports (RUF)

Forensic reports (or RUF reports) provide detailed information about individual emails that fail DMARC checks. These reports include specific details such as the email headers, sending IP address, and the reason for failure. Forensic reports are more granular and can be extremely useful for investigating specific incidents of failed authentication.

You’ll typically receive RUF reports in real time or near real time. These reports can be more complex to analyze, but they provide critical insights into specific email failures.

Take it further with Valimail RUF+

Reading DMARC reports already gives you a powerful lens into your email ecosystem. But what if you could go beyond the static data? What if you could get real-time, identity-safe insights into who’s failing authentication and why—without digging through mountains of data or putting PII at risk?

That’s exactly what Valimail RUF+ delivers.

RUF+ is the most effective, timely, and secure way to pinpoint failing sending services, discover service owners, and diagnose issues faster—so you can accelerate your journey to full DMARC enforcement.

With RUF+, you still get all the advantages of traditional DMARC forensic (RUF) reports, but without the messy compliance headaches or clunky formats. You’ll gain unprecedented insights into failing authentication across your domain, helping you protect your brand, accelerate enforcement, and secure your email environment faster than ever.

Why DMARC reports matter

DMARC reports play an important role in maintaining email security and compliance:

• Visibility into email authentication: DMARC reports show how different email providers authenticate your emails. This visibility helps you proactively identify and address authentication issues.
• Identifying unauthorized use: Analyzing DMARC reports helps you detect unauthorized use of your domain. This lets you take action to prevent phishing and spoofing attacks that can damage your reputation and compromise your security.
• Improving deliverability: Getting your legitimate emails to pass DMARC checks improves your email deliverability rates. Email providers are more likely to deliver authenticated emails to the inbox than the spam folder.
• Compliance and monitoring: DMARC reports help you maintain compliance with email authentication standards and monitor the effectiveness of your DMARC policy. Regular review and analysis of these reports can guide necessary adjustments and improvements.

Let’s take a look at each of these reports in more detail and break down how to read them to extract insights.

Understanding DMARC aggregate reports

Header information

The header section of a DMARC aggregate report contains basic information about the report itself. This includes the version of the report, the reporting organization, and the date range covered.

• Fields:
  • Report ID: A unique identifier for the report.
  • Date Range: The period the report covers, usually 24 hours.
  • Org Name: The organization that generated the report, typically an email service provider or a large email receiver.

Policy evaluated

This section outlines the DMARC policy applied to the emails covered in the report. Policies can be “none” (monitoring only), “quarantine” (suspicious emails are moved to the spam folder), or “reject” (unauthorized emails are blocked).

• Fields:
  • Domain: The domain for which the policy is being evaluated.
  • Policy: The applied DMARC policy (none, quarantine, reject).
  • Subdomain Policy: Specific policies for subdomains, if applicable.

SPF and DKIM alignment

SPF and DKIM alignment results indicate whether the emails passing through your domain align with your specified authentication methods.

• Fields:
  • SPF Result: Pass or fail status for SPF checks.
  • DKIM Result: Pass or fail status for DKIM checks.
  • Alignment: Whether the SPF and DKIM checks align with the “From” domain.

How emails were handled

This section describes the final action taken on the emails based on the DMARC policy.

• Fields:
  • Delivered: Emails that passed authentication and were delivered to the inbox.
  • Quarantined: Emails flagged as suspicious and moved to the spam folder.
  • Rejected: Emails that failed authentication and were blocked.

Reporting organization

Details about the entity generating the report, such as an email provider or security organization.

• Fields:
  • Organization Name: Name of the reporting entity.
  • Contact Information: Email or other contact details for follow-up.

SPF and DKIM results

Each email is checked against your SPF and DKIM records. A “pass” means the email was sent from an authorized server, while a “fail” indicates it wasn’t. Consistent failures suggest misconfigurations or unauthorized use.

• Fields:
  • SPF and DKIM Pass/Fail Counts: Track the number of emails passing and failing each check.
  • Failure Reasons: Understand why emails are failing to address specific issues.
• Spotting Alignment Issues: Alignment issues occur when the “From” domain doesn’t match the domains specified in SPF or DKIM records. Look for patterns in failed alignment to identify problematic senders or configurations.
• Unauthorized Sending Sources: Identify IP addresses or domains sending unauthorized emails using your domain. These are potential security threats that need to be addressed.

Volume analysis

Look at the volume of emails over time to spot trends. Sudden spikes or drops can indicate changes in your email traffic or potential security incidents.

• Fields to Analyze:
  • Total Email Volume: Compare the total volume of emails day-to-day.
  • Authenticated vs. Failed Volume: Analyze the proportion of authenticated emails versus those that failed.

Understanding DMARC forensic reports

Detailed email information

Forensic reports contain detailed information about each email that failed DMARC authentication.

• Fields:
  • Message ID: A unique identifier for the email.
  • Timestamp: The date and time the email was received.
  • Source IP: The IP address from which the email was sent.
  • Envelope From: The return-path email address.

Headers and body

Headers provide important information about the email’s path and authentication status.

• Fields:
  • From Header: The “From” address visible to the recipient.
  • DKIM Signature: Details of the DKIM signature, if present.
  • SPF Result: The result of the SPF check.
  • DMARC Result: The overall DMARC check result.
  • Email Body: The content of the email body, which can help identify phishing attempts or malicious content.

Failure reason

Forensic reports detail why the email failed DMARC checks.

• Fields:
  • SPF Failure: Indicates whether the email failed the SPF check.
  • DKIM Failure: Indicates whether the email failed the DKIM check.
  • Alignment Failure: Details if the “From” address did not align with the authenticated domains.

How to use forensic reports

1. Identify the problem: Examine the failure reason to understand why the email didn’t pass DMARC checks.
2. Trace the source: Use the source IP and envelope from information to trace the origin of the email. Check if the sending IP is authorized to send emails on behalf of your domain.
3. Analyze headers: Review the email headers to identify discrepancies and potential signs of spoofing or misconfiguration.
4. Examine the body: Look for suspicious content in the email body that might indicate phishing or malicious intent.
5. Resolve configuration issues: Address any SPF or DKIM misconfigurations that caused the failure. Update your DNS records as necessary.

Solutions and tips for reading DMARC reports

DMARC reports can be simplified with the right tools and practices. Here are some automated tools, manual analysis tips, and best practices to help you read and use DMARC reports.

Automated DMARC solutions

Valimail Monitor is a powerful tool designed to simplify the reading and interpretation of DMARC reports. It automates the collection and analysis of DMARC data, providing clear, actionable insights:

• Real-time monitoring: Get up-to-date information on your email authentication status.
• Detailed reports: Access comprehensive reports that highlight key metrics and potential issues.
• User-friendly interface: Navigate through the data easily with an intuitive interface designed for both technical and non-technical users.

Manual analysis tip

• Importing reports: Export DMARC reports to CSV format and import them into a spreadsheet application like Excel or Google Sheets.
• Data segmentation: Use columns to segment data by date, sending IP, SPF/DKIM results, and disposition.
• Pivot tables: Create pivot tables to summarize and analyze data trends.
• Conditional formatting: Use conditional formatting to highlight failed authentication attempts or other anomalies.

Pattern analysis

• Volume patterns: Look for unusual spikes or drops in email volume that might indicate an issue.
• Failure patterns: Identify recurring IP addresses or domains that frequently fail authentication checks.
• Alignment issues: Watch for patterns in alignment failures to identify misconfigurations or unauthorized use.
• Sender analysis: Track the performance of different senders to ensure they are correctly authenticated.
• Trend analysis: Regularly analyze trends to identify long-term issues and improvements.
• Scheduled reviews: Establish a regular schedule for reviewing DMARC reports, such as weekly or monthly.
• Audit logs: Maintain audit logs of your reviews to track changes and improvements over time.

Get more from your DMARC reports with Valimail

Reading and interpreting DMARC reports keeps your email domain secure. They help you spot authentication issues, stop unauthorized use of your domain, and guarantee your emails reach the right people. However, let’s face it—manually digging through DMARC reports can be a nightmare (especially if you do it day after day after day).

Fortunately, we can help.

Valimail Monitor takes the stress out of DMARC reporting, giving you clear, actionable insights without the hassle. Here’s how Valimail Monitor can help:

• Automate data collection: Forget about manually gathering reports. Valimail Monitor automates this process, so you always have the latest info at your fingertips.
• Gain real-time insights: Stay on top of potential issues with real-time monitoring. You’ll always know the current state of your email authentication.
• Identify and resolve issues quickly: Detailed reports and custom alerts make it easy to spot and quickly fix misconfigurations and unauthorized senders.
• Improve email deliverability: Refine your DMARC policies based on comprehensive report analysis to guarantee your emails land in the right inboxes.

Don’t leave your email security up to chance. Sign up for Valimail Monitor (for free—no credit card required) to get world-class visibility into all services and sending activity from your domains.