Understanding DMARC Reports

DMARC reports can seem overwhelming at first, but this guide breaks down everything you need to know.

Report Basics

What is a DMARC Report?

A DMARC report is an XML file (or summary email) that shows:

• Who sent emails claiming to be from your domain
• Whether they passed authentication (SPF/DKIM)
• What action was taken (none/quarantine/reject)

Report Types

Aggregate Reports (RUA)

• Sent daily (or weekly depending on settings)
• Summary of all email activity
• Shows pass/fail counts

Forensic Reports (RUF)

• Sent immediately when failures occur
• Detailed information about failed messages
• Helps identify issues quickly

DMARC Nerd sends both automatically!

Reading Your Report

Key Metrics

DMARC Pass Rate

• Percentage of emails that passed DMARC
• Goal: 100%
• Below 100% indicates alignment or authentication issues

SPF Status

• Pass - Email server is authorized
• Fail - Email server is not authorized
• Neutral - SPF record missing or misconfigured

DKIM Status

• Pass - Email signature is valid
• Fail - Signature missing or invalid
• Neutral - DKIM not configured

Alignment

• Strict - Domain must exactly match
• Relaxed - Subdomains allowed
• Current setting shown in your policy

Understanding Failures

Common Reasons for Failures:

1. Unauthorized Senders

   • Third-party email services (mailchimp, sendgrid, etc.)
   • Solution: Add their servers to SPF record

2. Missing SPF Record

   • No SPF record configured
   • Solution: Add SPF record listing authorized servers

3. Missing DKIM

   • Email not digitally signed
   • Solution: Configure DKIM for your email provider

4. Policy Too Strict

   • Alignment set to “strict”
   • Solution: Use “relaxed” alignment or adjust policy

5. Spoofing Attempts

   • Attackers using your domain
   • Solution: Keep DMARC policy at “quarantine” or “reject”

Actions Taken

None (p=none)

• Email delivered normally
• Reports generated for monitoring
• No protection active
• Good for initial monitoring

Quarantine (p=quarantine)

• Failed emails go to spam
• Legitimate mail may be caught
• Good for testing before full enforcement

Reject (p=reject)

• Failed emails are bounced
• Most secure option
• Use only after full testing

Taking Action

Step 1: Review Your Report

1. Log in to DMARC Nerd
2. Check your latest report
3. Look for high pass rates and low fail rates

Step 2: Identify Issues

• Are there legitimate senders failing?
• Do you recognize the sending sources?
• Are you seeing spoofing attempts?

Step 3: Fix Problems

If legitimate senders are failing:

• Update SPF record to include their servers
• Enable DKIM for their service
• Relax alignment settings if needed

If you’re seeing spoofing:

• Move policy from “none” to “quarantine”
• Eventually move to “reject”
• Monitor email delivery to ensure no false positives

Step 4: Monitor Progress

• Check reports weekly
• Adjust settings as needed
• Look for trends over time

Common Questions

Q: Is 99% pass rate OK? A: No, aim for 100% for legitimate mail. The 1% likely indicates issues to fix.

Q: What do I do with forensic reports? A: Review them for signs of spoofing or unauthorized use. Report security issues to your team.

Q: How long until reports are accurate? A: Usually 1-2 weeks. Email systems need time to process your DMARC record.

Q: Can I have multiple DMARC records? A: No, only one DMARC record per domain. Only the first one is used.

Q: What’s the difference between subdomains? A: You can have separate DMARC policies for subdomains like mail.yourdomain.com.

Next Steps

• Set up all required SPF and DKIM records
• Review your first 1-2 weeks of reports
• Gradually move from “none” → “quarantine” → “reject”
• Monitor for spoofing attempts
• Contact us if you need help interpreting your specific reports!