Understanding and troubleshooting DMARC reports from Google and Yahoo

A minimalist illustration of a secure email with a shield, symbolizing DMARC protection.

If you've recently set up DMARC for your domain, you've probably noticed something new in your inbox: a daily stream of emails with cryptic XML attachments. These are your DMARC aggregate reports, sent from providers like Google and Yahoo. Since their new requirements took effect, understanding these reports has become absolutely essential for anyone sending email.

At first glance, these files are completely unreadable to the human eye. It's just a wall of code. This often leads to the question I see on forums all the time: what am I supposed to do with these DMARC reports? The answer is that they contain a goldmine of information about your email sending activity, both legitimate and fraudulent. They tell you who is sending email on your behalf and whether that email is passing authentication.

The purpose of these reports isn't just to inform you, but to empower you. By analyzing the data, you can identify unauthorized senders, fix authentication issues with your legitimate services, and confidently move towards a stricter DMARC policy like p=quarantine or p=reject. In this guide, I'll walk you through how to interpret what Google and Yahoo are telling you and what steps to take to resolve common problems.

Decoding the contents of a DMARC report

DMARC aggregate reports, or RUA reports, are sent in a machine-readable format called XML. While a DMARC analyzer is the best way to parse this information, it's helpful to understand the basic structure. Each report contains metadata about the reporting organization (like Google) and the date range it covers. More importantly, it lists every IP address that sent email claiming to be from your domain.

Simplified DMARC XML Report

<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <date_range>
      <begin>1672531200</begin>
      <end>1672617599</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>yourdomain.com</domain>
    <p>none</p>
    <sp>none</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>209.85.220.41</source_ip>
      <count>15</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>yourdomain.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>yourdomain.com</domain>
        <result>pass</result>
      </dkim>
      <spf>
        <domain>yourdomain.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
</feedback>

For each sending IP, the report shows a count of messages and the authentication results. The key section is <policy_evaluated>, which tells you if the messages passed or failed SPF and DKIM checks from DMARC's perspective. It also shows the <disposition>, which is the policy that was applied (none, quarantine, or reject). This information helps you understand what messages are passing and which are not.

Finally, the <auth_results> section gives you the raw SPF and DKIM results, including the domain that was checked for each. This is crucial for troubleshooting alignment issues, which we'll cover next. Understanding these basic components is the first step to taming your DMARC reports and making them work for you.

A minimalist illustration of a person looking through a magnifying glass at a bar chart, representing data analysis. The style of the images should be A minimalist retro illustration in the style of Malika Favre. Dominant colors are bright poppy red and deep royal blue. Vector art, high contrast. Do not put any words in the image or alphanumeric characters.

Common DMARC issues and how to spot them

The most common reason for a DMARC fail error is not a simple SPF or DKIM failure, but a misconfiguration known as misalignment. For DMARC to pass, the domain used in the SPF check (the Return-Path domain) or the DKIM signature (the d= tag) must match the domain in the visible "From" address. This is a security feature to prevent spoofing where the underlying authentication is technically valid but for a different domain.

You'll often see this with third-party sending services. For example, you might send email through a service like Mailchimp. If you haven't set up custom DKIM, the DKIM signature will be for a Mailchimp domain, not your own. Even if the DKIM check passes, DMARC will see the mismatch and record a failure for DKIM alignment. The same principle applies to SPF.

Failing record (misaligned)

Scenario

An email sent from a third-party service without proper alignment. The SPF check uses the service's domain, and the DKIM signature is also for the service's domain.

Reported results

SPF Result: Pass (but for mail-sender.com)
DKIM Result: Pass (but for mail-sender.com)
DMARC Alignment: Fail

Passing record (aligned)

Scenario

The same service after configuring custom SPF/DKIM. The authentication checks now use your sending domain, aligning with the "From" address.

Passing record (aligned)

SPF Result: Pass (for yourdomain.com)
DKIM Result: Pass (for yourdomain.com)
DMARC Alignment: Pass

Another common source of confusing reports is email forwarding. When an email is forwarded, the intermediate server breaks the SPF chain because it's not listed in your SPF record. Luckily, DKIM signatures survive forwarding. This is why having both SPF and DKIM is so important; it provides resilience and ensures your legitimate emails still pass DMARC even in complex delivery scenarios.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

A step-by-step guide to troubleshooting

So you see failures in your reports. Don't panic. The process for fixing them is methodical. First, ensure your DMARC policy is set to p=none. This "monitoring mode" allows you to gather data without any risk of your emails being blocked or sent to spam. This is a critical first step that providers strongly recommend.

Next, go through your reports and identify every source IP address sending on your behalf. For each one, ask yourself: "Is this a legitimate service I use?" You might find your corporate mail server, your marketing platform, and your transactional email provider. You might also find IP addresses you don't recognize, which could be a sign of a phishing attack.

Identify your sources: Comb through your DMARC reports to create a list of all services and servers sending email for your domain.
Authenticate legitimate senders: For each legitimate service (e.g., Google Workspace, SendGrid), follow their documentation to set up aligned SPF and DKIM. This usually involves adding specific DNS records.
Monitor and verify: Continue to check your DMARC set up by reviewing reports. Once you see consistent passing results for all your legitimate traffic, you're ready to enforce a stricter policy.
Enforce your policy: Gradually update your DMARC record, first to p=quarantine and finally to p=reject, to protect your domain.

Once all your known, legitimate sources are consistently passing DMARC with proper alignment, you can begin the journey to enforcement. This involves updating your DMARC policy from p=none to p=quarantine. This tells receivers to send unauthenticated mail to the spam folder. After a period of monitoring at quarantine, and seeing no issues with legitimate mail, you can take the final step to p=reject, instructing them to block unauthorized mail entirely.

Navigating DMARC reports from Google and Yahoo might seem daunting, but it's a manageable and incredibly valuable process. By moving from monitoring to enforcement, you're not just ticking a compliance box; you're actively defending your brand, protecting your customers from phishing attacks, and improving your overall email deliverability. It turns a confusing chore into a powerful security tool.

Remember that DMARC is not a 'set it and forget it' protocol. Your sending sources can change, new services may be added, and configurations can break. Regular monitoring of your DMARC reports is key to maintaining a secure and effective email program long-term. Stay vigilant, and you'll keep your domain's reputation pristine.

Frequently asked questions

Why am I getting so many DMARC reports every day?

You receive a report from any mailbox provider that processes email claiming to be from your domain. If you send to users at Google, Yahoo, Microsoft, Comcast, and others, you will receive separate reports from each of them, typically once per day. This is normal and is the system working as intended.

What's the difference between RUA and RUF reports?

RUA (aggregate) reports are XML summaries of your email traffic, showing IP addresses, volumes, and authentication results. They are sent daily. RUF (forensic) reports are real-time, detailed reports of individual email failures, containing message samples. Due to privacy concerns, most senders only use RUA reports.

How long does it take to get to p=reject?

The timeline varies greatly depending on the complexity of your email infrastructure. A small business with one or two sending services might get to p=reject in a few weeks. A large enterprise with dozens of global sending sources could take several months of careful monitoring and remediation.

Do I really need a tool to read these reports?

While it's technically possible to manually read the XML files, it is extremely difficult and inefficient. Using a DMARC reporting service is highly recommended. These tools automatically parse the reports, visualize the data, identify senders, and make the entire process of troubleshooting and monitoring vastly simpler.