Understanding and troubleshooting DMARC reports from Google and Yahoo

If you've recently set up DMARC for your domain, you've probably noticed something new in your inbox: a daily stream of emails with cryptic XML attachments. These are your DMARC aggregate reports, sent from providers like Google and Yahoo. Since their new requirements took effect, understanding these reports has become absolutely essential for anyone sending email.

At first glance, these files are completely unreadable to the human eye. It's just a wall of code. This often leads to the question I see on forums all the time: what am I supposed to do with these DMARC reports? The answer is that they contain a goldmine of information about your email sending activity, both legitimate and fraudulent. They tell you who is sending email on your behalf and whether that email is passing authentication.

The purpose of these reports isn't just to inform you, but to empower you. By analyzing the data, you can identify unauthorized senders, fix authentication issues with your legitimate services, and confidently move towards a stricter DMARC policy like p=quarantine or p=reject. In this guide, I'll walk you through how to interpret what Google and Yahoo are telling you and what steps to take to resolve common problems.

DMARC aggregate reports, or RUA reports, are sent in a machine-readable format called XML. While a DMARC analyzer is the best way to parse this information, it's helpful to understand the basic structure. Each report contains metadata about the reporting organization (like Google) and the date range it covers. More importantly, it lists every IP address that sent email claiming to be from your domain.

<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <date_range>
      <begin>1672531200</begin>
      <end>1672617599</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>yourdomain.com</domain>
    <p>none</p>
    <sp>none</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>209.85.220.41</source_ip>
      <count>15</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>yourdomain.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>yourdomain.com</domain>
        <result>pass</result>
      </dkim>
      <spf>
        <domain>yourdomain.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
</feedback>

For each sending IP, the report shows a count of messages and the authentication results. The key section is <policy_evaluated>, which tells you if the messages passed or failed SPF and DKIM checks from DMARC's perspective. It also shows the <disposition>, which is the policy that was applied (none, quarantine, or reject). This information helps you understand what messages are passing and which are not.

Finally, the <auth_results> section gives you the raw SPF and DKIM results, including the domain that was checked for each. This is crucial for troubleshooting alignment issues, which we'll cover next. Understanding these basic components is the first step to taming your DMARC reports and making them work for you.

The most common reason for a DMARC fail error is not a simple SPF or DKIM failure, but a misconfiguration known as misalignment. For DMARC to pass, the domain used in the SPF check (the Return-Path domain) or the DKIM signature (the d= tag) must match the domain in the visible "From" address. This is a security feature to prevent spoofing where the underlying authentication is technically valid but for a different domain.

You'll often see this with third-party sending services. For example, you might send email through a service like Mailchimp. If you haven't set up custom DKIM, the DKIM signature will be for a Mailchimp domain, not your own. Even if the DKIM check passes, DMARC will see the mismatch and record a failure for DKIM alignment. The same principle applies to SPF.

Another common source of confusing reports is email forwarding. When an email is forwarded, the intermediate server breaks the SPF chain because it's not listed in your SPF record. Luckily, DKIM signatures survive forwarding. This is why having both SPF and DKIM is so important; it provides resilience and ensures your legitimate emails still pass DMARC even in complex delivery scenarios.

Suped DMARC monitor

Free forever, no credit card required

Get started for free

Trusted by teams securing millions of inboxes

So you see failures in your reports. Don't panic. The process for fixing them is methodical. First, ensure your DMARC policy is set to p=none. This "monitoring mode" allows you to gather data without any risk of your emails being blocked or sent to spam. This is a critical first step that providers strongly recommend.

Next, go through your reports and identify every source IP address sending on your behalf. For each one, ask yourself: "Is this a legitimate service I use?" You might find your corporate mail server, your marketing platform, and your transactional email provider. You might also find IP addresses you don't recognize, which could be a sign of a phishing attack.

• Identify your sources: Comb through your DMARC reports to create a list of all services and servers sending email for your domain.
• Authenticate legitimate senders: For each legitimate service (e.g., Google Workspace, SendGrid), follow their documentation to set up aligned SPF and DKIM. This usually involves adding specific DNS records.
• Monitor and verify: Continue to check your DMARC set up by reviewing reports. Once you see consistent passing results for all your legitimate traffic, you're ready to enforce a stricter policy.
• Enforce your policy: Gradually update your DMARC record, first to p=quarantine and finally to p=reject, to protect your domain.

Once all your known, legitimate sources are consistently passing DMARC with proper alignment, you can begin the journey to enforcement. This involves updating your DMARC policy from p=none to p=quarantine. This tells receivers to send unauthenticated mail to the spam folder. After a period of monitoring at quarantine, and seeing no issues with legitimate mail, you can take the final step to p=reject, instructing them to block unauthorized mail entirely.

Navigating DMARC reports from Google and Yahoo might seem daunting, but it's a manageable and incredibly valuable process. By moving from monitoring to enforcement, you're not just ticking a compliance box; you're actively defending your brand, protecting your customers from phishing attacks, and improving your overall email deliverability. It turns a confusing chore into a powerful security tool.

Remember that DMARC is not a 'set it and forget it' protocol. Your sending sources can change, new services may be added, and configurations can break. Regular monitoring of your DMARC reports is key to maintaining a secure and effective email program long-term. Stay vigilant, and you'll keep your domain's reputation pristine.

The benefits of implementing DMARC

Matthew Whittaker

6 Jul 2025

Discover the essential benefits of implementing DMARC for your email. This article explains how DMARC enhances your security by preventing domain spoofing and phishing, boosts deliverability by improving your sender reputation, and provides invaluable visibility into your email ecosystem. Learn why DMARC is a non-negotiable tool for protecting your brand and ensuring your messages reach the inbox.

A practical guide to finding a DMARC professional

Michael Ko

9 Jul 2025

Learn how to find, vet, and hire a DMARC professional to secure your email and improve deliverability. This guide covers what to look for in an expert, where to find them, and the key questions to ask to ensure you're protecting your brand from phishing and spoofing.

Why your emails are getting a 'DMARC verification failed' error

Michael Ko

10 Jul 2025

Getting a 'DMARC verification failed' error? This post breaks down what it means, the common causes like alignment issues with SPF and DKIM, and how to fix it. Learn how to diagnose problems using DMARC reports and a step-by-step approach to secure your domain without blocking legitimate emails.

How to fix 'DMARC policy not enabled' warnings

Matthew Whittaker

11 Jul 2025

Seeing a 'DMARC policy not enabled' warning can be confusing. This message doesn't mean something is broken, but rather that your DMARC policy is set to a monitoring-only mode (p=none) and not yet enforcing protection. This guide explains what the warning means, why starting with p=none is a critical first step, and how to methodically analyze your email sources to safely transition to an enforcement policy like p=quarantine or p=reject, ultimately securing your domain and improving deliverability.

Simple DMARC examples: how to start with a p=none policy

Michael Ko

11 Jul 2025

Getting started with DMARC doesn't have to be complicated. This guide explains why a `p=none` policy is the safest first step, providing simple, copy-paste examples to help you start monitoring your email domain. Learn how to gain crucial visibility into who is sending email on your behalf without any risk to your deliverability.

A simple guide to DMARC, SPF, and DKIM

Matthew Whittaker

11 Jul 2025

Ever felt lost in the alphabet soup of email security? This guide breaks down DMARC, SPF, and DKIM into simple concepts. We'll explain how SPF creates a guest list for your emails, DKIM adds a tamper-proof seal, and DMARC acts as the security chief, telling mail servers how to handle unverified messages, ensuring your emails are trusted and secure.