How to read DMARC reports
DMARC aggregate reports can look intimidating because they arrive as XML, often from many receivers at once. Once you know the key fields, they become one of the most useful sources of visibility in email operations.
What aggregate reports show
They summarise mail claiming to come from your domain, often grouped by source IP, authentication results and policy disposition.
What to look for
- Unexpected sending IPs
- Legitimate vendors failing alignment
- Traffic using the wrong return-path domain
- Repeated unauthenticated spoof attempts
Turn reports into action
- Identify known senders.
- Fix alignment for legitimate vendors.
- Remove or quarantine unknown sources.
- Increase DMARC policy only when the report picture is understood.
Using tools
Most teams eventually use a parser or DMARC analysis service because raw XML becomes tedious quickly at scale. Even so, it helps to understand the data model yourself.