Blog

How to Read a DMARC Aggregate Report Without Losing Your Mind

March 19, 2026

Your DMARC record has rua= set. Reports are arriving.

You open one. It's a zipped XML file that looks like this:

<feedback>
  <report_metadata>
    <org_name>Google Inc.</org_name>
    ...
  </report_metadata>
  <record>
    <row>
      <source_ip>209.85.220.41</source_ip>
      <count>142</count>
      <policy_evaluated>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
  </record>
</feedback>

You close it and never look again.

Here's how to actually read these.

What the Report Contains

Every DMARC report tells you three things:

1. Who sent the report (Google, Microsoft, Yahoo)
2. Which IPs sent email as your domain
3. Whether those emails passed SPF and DKIM

That's it. It's a list of sending IPs with pass/fail results.

The Three Things to Look For

Look for rows where both DKIM and SPF fail. That's either a misconfigured sender or someone spoofing your domain.

Look for unfamiliar IPs. If you don't recognise the IP, find out what it is. Could be a service you forgot, or an attacker.

Look for volume. A spoofing campaign shows up as high message count from an unknown IP. Even p=none lets you see this happening.

The Shortcut

Unzip the file. Paste the XML into DomainPreflight's DMARC Report Analyzer.

It turns the XML into a table showing each sending IP, message count, DKIM result, SPF result, and risk level.

Spoofing attempts show as red "Spoofing risk." Misaligned senders show as orange. Clean senders show as green "Aligned."

5 minutes instead of decoding XML.

What to Do With What You Find

All green → you're clean. Consider moving to p=quarantine.

Orange (partial failures) → fix alignment for the failing sender. Use the DMARC provider fix guides.

Red (both fail) → investigate the IP. If it's not a sender you recognise, upgrade to p=reject to block it.