There was a problem loading the comments.

How to Read and Act on DMARC Aggregate Reports

Support Portal  »  Knowledgebase  »  Viewing Article

  Print

Once you publish a DMARC record with a rua address, receiving providers send you daily aggregate reports. These reports are how you discover who is sending email as your domain - both your legitimate services and any spoofers - before you tighten your policy to reject. Here is how to use them.

What the reports contain

Aggregate reports are XML files sent once a day by each major receiver. Each report lists the sending IP addresses that used your domain, how many messages each sent, and whether they passed SPF and DKIM with alignment. They do not contain message content - only authentication outcomes.

Do not try to read the raw XML by hand

The XML is not meant for human reading. Feed the reports into a DMARC monitoring tool or dashboard that parses them and shows sources, volumes, and pass/fail rates in a readable table. This turns a pile of files into a clear picture of your mail flow.

Separate legitimate senders from spoofers

Go through the sources the reports reveal. You will typically find a few legitimate ones - your mail server, a marketing platform, a helpdesk - and possibly unknown IPs sending as you. For each legitimate source that is failing, fix its authentication so it passes SPF or DKIM with alignment. Unknown sources that fail are usually spoofing attempts, which is exactly what DMARC will block once enforced.

Tighten the policy in stages

Start at p=none (monitor only). Once the reports show all your legitimate mail passing, move to p=quarantine so failing mail goes to spam, and finally p=reject so spoofed mail is refused outright. Moving in stages ensures you never block your own legitimate email.

Keep monitoring after enforcement

Even at reject, keep receiving reports. New services you add later need to be authorized, and the reports show you immediately if a legitimate source starts failing.

Our team sets up DMARC monitoring for domains on SoftSys managed VPS plans and guides the move from monitor to enforcement safely, so you stop spoofing without ever losing a legitimate message.


Share via
Did you find this article useful?  

Related Articles

Tags

© Softsys Hosting