Last updated: 5 April 2021
When you add a DMARC record for your domain you can choose to receive aggregate reports and/or failure reports. This article explains what information is included in the reports.
Aggregate reports are sent daily and provide information about emails sent from your domain in the last 24 hours. The reports are sent as XML files, which means that you get raw data rather than a pretty report.
If you are not familiar with XML, it is a language that uses tags to structure data. XML files are typically processed using a script that extracts and formats the data. For instance, you can use a custom PHP or Python script to process the data (and perhaps store it in a database). There are also services available online (both commercial and free services).
To give you an idea of what information an aggregate report contains, the DMARC website provides the following example report:
1. <?xml version="1.0" encoding="UTF-8" ?>
2. <feedback>
3. <report_metadata>
4. <org_name>acme.com</org_name>
5. <email>noreply-dmarc-support@acme.com</email>
6. <extra_contact_info>http://acme.com/dmarc/support</extra_contact_info>
7. <report_id>9391651994964116463</report_id>
8. <date_range>
9. <begin>1335571200</begin>
10. <end>1335657599</end>
11. </date_range>
12. </report_metadata>
13. <policy_published>
14. <domain>example.com</domain>
15. <adkim>r</adkim>
16. <aspf>r</aspf>
17. <p>none</p>
18. <sp>none</sp>
19. <pct>100</pct>
20. </policy_published>
21. <record>
22. <row>
23. <source_ip>72.150.241.94</source_ip>
24. <count>2</count>
25. <policy_evaluated>
26. <disposition>none</disposition>
27. <dkim>fail</dkim>
28. <spf>pass</spf>
29. </policy_evaluated>
30. </row>
31. <identifiers>
32. <header_from>example.com</header_from>
33. </identifiers>
34. <auth_results>
35. <dkim>
36. <domain>example.com</domain>
37. <result>fail</result>
38. <human_result></human_result>
39. </dkim>
40. <spf>
41. <domain>example.com</domain>
42. <result>pass</result>
43. </spf>
44. </auth_results>
45. </record>
46. </feedback>
Aggregate reports contain three main sections:
The report_metadata section (lines 3 to 12) contains details about the report itself, such as the report ID and the start and end date of the report. The date is shown in the Unix Epoch time, which is the number of seconds that have elapsed since 1 January 1970. You can convert the time to a more human-friendly format via epochconverter.com.
Next up is the policy_published section (lines 13 to 20). This shows the DMARC policy that was used by the receiving servers. The information should match the policy defined in your DMARC record. Having this information in the report is particularly useful if you change the DMARC policy for your domain – the information will show if the changes have been picked up.
The record section (lines 21 to 45) contains information about emails that have been received from your domain. This section includes the following information:
Although you can open XML files in a text editor and read them line by line, you probably want to use a tool that turns the data into a human-readable report. There are various third-party tools available. As these services are provided by third parties we can’t make any recommendations, but a quick online search should yield plenty of results.
Failure reports (also known as forensic reports) include additional information, including the email’s subject line and any URLs in an email. The reports are sent whenever there is a DMARC failure. The reports are sent in plain text rather than XML (i.e. the reports are easy to read).