All About DMARC Reports

DMARC is the industry standard for email security. One major benefit of DMARC is receiving daily reports to show you what is happening with emails sent from your domain (or from those impersonating your domain.) However, if you’ve just set up DMARC for your domain, you might be confused by the mess of data hitting your inbox.

---

About DMARC Reports

Once you enable DMARC, reports are sent once a day via email by default. Daily reports are standard so that you can keep track of whether or not emails from your domain pass DMARC.

Beyond that, reports also summarize how many emails were sent, and what actions were taken by the server that received the email.

DMARC reports are delivered in a .xml format. This file contains raw data, which to the untrained eye can look like a giant mess of code. That’s because DMARC reports are not designed to be read by the user. Instead, it is recommended that you upload the .xml file to an aggregator tool which can compile the data for you.

Here is an example DMARC report:

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
    <report_metadata>
    <org_name>example-biz.com</org_name>
    <email>[email protected]</email>
<extra_contact_info>http://example-biz.com/dmarc/gupport</extra_contact_info>
    <report_id>9391651994964116463</report_id>
    <date_range>
        <begin>1335571200</begin>
        <end>1335657599</end>
    </date_range>
    </report_metadata>
    <policy_published>
        <domain>example-biz.com</domain>
        <adkim>r</adkim>
        <aspf>r</aspf>
        <p>none</p>
        <sp>none</sp>
        <pct>100</pct>
    </policy_published>
    <record>
        <row>
            <source_ip>203.0.113.209</source_ip>
            <count>2</count>
            <policy_evaluated>
                <disposition>none</disposition>
                <dkim>fail</dkim>
                <spf>pass</spf>
            </policy_evaluated>
        </row>
        <identifiers>
            <header_from>example-biz.com</header_from>
        </identifiers>
        <auth_results>
            <dkim>
                <domain>example-biz.com</domain>
                <result>fail</result>
                <human_result></human_result>
            </dkim>
            <spf>
                <domain>example-biz.com</domain>
                <result>pass</result>
            </spf>
        </auth_results>
    </record>
</feedback>

---

Do I need to receive DMARC emails?

Getting hundreds (or thousands) of reports every day can quickly become overwhelming. Monitoring every instance of potentially fraudulent activity by hand is nearly impossible. That’s why Google recommends using a third party provider to aggregate your reports. 

Smart tools such as OnDMARC make it easy by compiling all the important information into easy-to-read summaries. That way, you don’t have to waste time going through each raw report manually. OnDMARC will store, analyze, and summarize your reports automatically. 

---

Why Google recommends using a third party provider:

• Digestible Data: Aggregation tools distill complex data into simple, concise formats so IT departments and business leaders can quickly understand threats to their domain’s email.
• Time Efficiency: Instead of sifting through raw reports yourself, these tools do the heavy lifting, allowing you to focus on strategic, big-picture security decisions.
• Improved Security: With automatic recognition of email threats, you can proactively secure your domain against potential breaches.
• Comprehensive Analytics: Tools like OnDMARC provide insights into email flows, rejected messages, and authentication failures to give you a holistic view of email security operations.
• Automated Feedback: Automate the detection of unauthorized use of your domain, allowing you to immediately act against fraud attempts.