DMARC aggregate reports are the feedback loop that makes DMARC work - but they arrive as dense XML that's hard to read by hand. Here's what's inside one and how to act on it.
What's Inside an Aggregate Report
Every report (defined by RFC 7489) has three parts: metadata identifying who generated it and the date range, the DMARC policy your domain published at the time, and a set of records. Each record represents one source IP that sent mail as your domain, with the message count, the SPF and DKIM results, whether each result aligned with the From domain, and the disposition the receiver applied (delivered, quarantined, or rejected).
The Fields That Matter Most
- Source IP - which server sent the mail. The analyzer resolves its reverse-DNS hostname so you can tell your CRM from an unknown spoofer.
- Count - how many messages that row represents. A failing row sending thousands of messages matters far more than a one-off.
- SPF / DKIM result + alignment - a pass only protects you if it also aligns with your From domain. "Passed but unaligned" is not a DMARC pass.
- Disposition - what actually happened to the mail under your current policy.
Reading Common Scenarios
- Everything aligned and passing. Your legitimate senders are configured correctly - safe to tighten your policy.
- Your own sender passes SPF but is unaligned. Usually a third-party service sending from its own return-path. Fix it with a custom return-path or DKIM signing on your domain.
- An unfamiliar IP sending volume that fails. That's spoofing - exactly what DMARC enforcement blocks.
- SPF PermError. Your SPF record exceeds the 10-lookup limit; AutoSPF flattens it so those rows start passing.
Using Reports to Move From p=none to p=reject
Reports exist so you can reach enforcement safely. Start at p=none and read reports until every legitimate source shows aligned passes. Then move to p=quarantine, watch for fallout, and finally p=reject. The analyzer makes that judgment call for a single report; validate the underlying records with the DMARC checker and SPF checker as you go, and see the full progression in our DMARC guide.
From One Report to Continuous Monitoring
This tool is ideal for inspecting a single report on demand. Once you're receiving dozens per day across multiple domains, reading them one at a time stops scaling - our sister product DMARC Report ingests every aggregate and forensic report automatically and tracks pass rates over time.