How to Read DMARC Aggregate Reports?
DMARC aggregate reports can look confusing at first. They come in XML format and include a lot of technical fields that are not easy to understand if you are new to them. But once you look past that, they actually give you very useful information.
A DMARC aggregate report is a daily report sent by email providers. It shows who is sending emails from your domain and whether those emails pass authentication checks such as SPF and DKIM.
Learning how to read DMARC reports helps you spot unknown senders, catch spoofing attempts, and fix issues early. It also helps improve your email deliverability, so your genuine emails land in inboxes instead of spam. Once you start understanding DMARC reports, you get much better control over your domain's email security and reputation. If you're still setting things up, start with what a DMARC record is and how it works.
What is a DMARC Aggregate Report
A DMARC aggregate report is a daily report that gives you a summary of all emails sent using your domain. To start receiving DMARC aggregate reports, you need to implement DMARC and add an email address in the rua tag where reports will be sent.
For example:
v=DMARC1; p=none; rua=mailto:[email protected]Once you publish this record, email providers like Gmail and Outlook will start sending you daily aggregate reports automatically. These are usually in XML format and provide a high-level overview of your email activity. You can see how many emails were sent, how many passed or failed authentication, and why some emails were not delivered. Unlike failure reports, which focus on individual issues, DMARC aggregate reports help you understand overall email traffic and spot potential problems. To learn what each tag means, see our guide on DMARC tags explained.
Key Sections in a DMARC Aggregate Report
To understand a DMARC aggregate report, you don't need to read everything at once. Just focus on these main sections and what they tell you:
Report Metadata
This section gives you basic information about the report.
- Reporting organization: It tells you who sent the report, like Gmail or Outlook.
- Date range: This section shows which days the data covers, usually one day.
- Report ID: It's just a unique number for that report.
This section helps you keep track of your DMARC reports, but it does not show any email results.
Policy Published
This section shows the rules you have set for your domain. It includes your domain name and how strictly SPF and DKIM should match (called DMARC alignment). You will also see your DMARC policy, which can be none, quarantine, or reject.
Record Section (Most Important)
This is the most useful part of the DMARC aggregate report. It shows what is actually happening with your emails.
- Source IP: It tells you where the emails are coming from.
- Count: This part shows how many emails were sent.
- SPF and DKIM results: These indicate whether the emails passed or failed the checks.
- Disposition: It shows what happened to those emails, like delivered, sent to spam, or rejected.
Step-by-Step: How to Read a DMARC Aggregate Report
Reading a DMARC report becomes much easier when you break it down into simple steps. Here's how you can go through it without feeling overwhelmed.
Step 1: Identify the Sender (Source IP)
Start by checking the source IP address. This tells you where the emails are coming from. If the IP belongs to your email provider, it is expected. If you see unknown IP addresses, it could mean someone else is trying to send emails from your domain.
Step 2: Check Email Volume
Next, look at the count field. It shows how many emails were sent from that source. If the number looks normal, you are fine. If it suddenly looks too high or unusual, it is worth investigating further.
Step 3: Review SPF and DKIM Results
Now check if SPF and DKIM show pass or fail. If both pass, the email is properly authenticated. If one or both fail, there may be a setup issue or a sender that is not correctly configured.
Step 4: Look at Alignment
Alignment simply means the sending domain matches your main domain. If they match, everything is fine. If not, the email can fail DMARC even if SPF or DKIM passes, so this step is important to check carefully.
If you notice failures in Step 3 or Step 4, it could be due to an incorrect DMARC setup. You can use a DMARC Record Checker to quickly identify configuration issues.
Step 5: Check Policy Action (Disposition)
Finally, check what happened to the email. none means nothing was done, quarantine usually sends it to spam, and reject blocks it. If this feels too technical, you can use an online XML report converter and analyzer to see everything in a simple, readable format.
Why Manual Reading Is Hard
Reading DMARC reports manually sounds simple, but it quickly gets frustrating, especially if you are not used to technical data.
First, DMARC reports come in XML format, which is not beginner-friendly at all. You will see long blocks of code-like text that are hard to scan and understand. It is easy to miss important details if you don't know what to look for.
Second, it takes a lot of time to go through each report line by line. If you receive daily reports from multiple providers, it can become overwhelming very quickly.
Because of this, mistakes happen. You might miss unknown senders or failed authentication attempts, which can lead to security risks. A much easier option is to use a tool like EasyDMARC's XML Report Analyzer. It converts complex reports into simple dashboards, so you can quickly see what is happening without digging through raw data.
Read the record rows first
When a report looks overwhelming, jump straight to the record section and scan the source IPs and their SPF/DKIM/disposition columns. That single section answers the two questions that matter most: who is sending as you, and what is happening to those messages.
EasyDMARC Can Do the Heavy Lifting
DMARC reports give you clear visibility into who is sending emails from your domain and what happens to those emails. This gives you better control over your email security and helps you catch issues early.
Once you learn how to read DMARC reports, it becomes much easier to protect your domain from spoofing and improve your email deliverability.
If all of this still feels too technical, you don't have to do it alone. EasyDMARC's toolset can handle the heavy lifting and turn complex reports into simple, easy-to-understand insights. Reach out to our team for further clarity and to get started with DMARC. We can help you achieve full enforcement in just a few weeks.
Frequently Asked Questions
Do DMARC aggregate reports show the actual email content?
No, DMARC aggregate reports do not include email content. They only provide summary data like sender IPs, authentication results, and delivery status. This keeps the reports privacy-friendly while still giving useful insights into your email activity.
How long should I keep DMARC aggregate reports?
It is a good idea to keep DMARC reports for at least a few weeks or months. This helps you track patterns over time, identify recurring issues, and compare improvements as you adjust your DMARC policy or authentication setup.
Can small businesses benefit from DMARC reports?
Yes, even small businesses benefit from DMARC reports. They help you understand who is sending emails from your domain and protect against spoofing, which is especially important if you rely on email for client communication or marketing.
What should I do after finding an unknown sender in a report?
If you see an unknown sender, first verify if it is a legitimate service you forgot to authorize. If not, update your SPF or DKIM settings if needed and consider moving toward a stricter DMARC policy to block unauthorized emails.
Do all email providers send DMARC aggregate reports?
Not all providers send DMARC reports, but many major ones like Gmail and Outlook do. The number and frequency of reports you receive can vary depending on the volume of email traffic your domain receives.