When you add a DMARC record for your domain you can choose to receive aggregate reports and/or failure reports. This article explains what information you will find in the reports.

Aggregate reports

Aggregate reports are sent daily and provide information about emails sent from your domain in the last 24 hours. The reports are sent as XML files, which means that you get raw data rather than a pretty report.

If you are not familiar with XML, it is a language that uses tags to structure data. XML files are typically processed using a script that extracts and formats the data. For instance, you can use a custom PHP or Python script to process the data (and perhaps store it in a database). There are also services available online (both commercial and free services).

To give you an idea of what information an aggregate report contains, the DMARC website provides the following example report:


1.  <?xml version="1.0" encoding="UTF-8" ?>
2.  <feedback>
3.    <report_metadata>
4.      <org_name>acme.com</org_name>
5.      <email>noreply-dmarc-support@acme.com</email>
6.      <extra_contact_info>http://acme.com/dmarc/support</extra_contact_info>
7.      <report_id>9391651994964116463</report_id>
8.      <date_range>
9.        <begin>1335571200</begin>
10.       <end>1335657599</end>
11.     </date_range>
12.   </report_metadata>
13.   <policy_published>
14.     <domain>example.com</domain>
15.     <adkim>r</adkim>
16.     <aspf>r</aspf>
17.     <p>none</p>
18.     <sp>none</sp>
19.     <pct>100</pct>
20.   </policy_published>
21.   <record>
22.     <row>
23.       <source_ip>72.150.241.94</source_ip>
24.       <count>2</count>
25.       <policy_evaluated>
26.         <disposition>none</disposition>
27.         <dkim>fail</dkim>
28.         <spf>pass</spf>
29.       </policy_evaluated>
30.     </row>
31.     <identifiers>
32.       <header_from>example.com</header_from>
33.     </identifiers>
34.     <auth_results>
35.       <dkim>
36.         <domain>example.com</domain>
37.         <result>fail</result>
38.         <human_result></human_result>
39.       </dkim>
40.       <spf>
41.         <domain>example.com</domain>
42.         <result>pass</result>
43.       </spf>
44.     </auth_results>
45.   </record>
46. </feedback>

Report sections

Aggregate reports contain three main sections:

Report metadata

The report_metadata section (lines 3 to 12) contains details about the report itself, such as the report ID and the start and end date of the report. The date is shown in the Unix Epoch time, which is the number of seconds that have elapsed since the start of 1 January 1970. You can convert the time to a more human-friendly format via epochconverter.com.

The DMARC policy

Next up is the policy_published section (lines 13 to 20), which shows the DMARC policy that was used by the receiving servers. This should be the same information that is shown in your DMARC TXT record. Having this information in the report is particularly useful if you change the DMARC policy for your domain – the information will show if the changes have been picked up.

Record data

The record section (lines 21 to 45) contains information about emails that have been received from your domain. This section includes the following information:

  • The sender’s IP address
  • The number of emails sent from the IP address
  • The policy that was applied (none, quarantine or reject)
  • The result of the DKIM check (pass or fail)
  • The result of the SPF check (pass or fail)
  • The “From:” header

Making DMARC reports readable

Although you can open XML files in a text editor and read them line by line, you probably want to use a tool that turns the data into a readable report. There are various third-party tools available. As these services are provided by third parties we can’t make any recommendations, but a quick online search should yield plenty of results.

Failure reports

Failure reports (also known as forensic reports) include additional information, including the email’s subject line and any URLs in an email. The reports are sent whenever there is a DMARC failure, and the reports are sent in plain text rather than XML (i.e. the reports are easy to read).