What's the difference between aggregate and forensic DMARC reports?

Aggregate (RUA) reports provide summarized data on email volume, pass/fail rates for SPF and DKIM, and source IPs. Forensic (RUF) reports offer detailed information about individual emails that failed DMARC authentication, including headers and sometimes content, though these are less commonly sent due to privacy concerns. Both are essential for a complete picture.

How can I tell if an unfamiliar sender in my DMARC report is legitimate?

Look at the volume of emails from that sender. If it's high, it's likely a legitimate service you're using (or someone spoofing your domain). Investigate the IP address to identify the service provider. For low volume, it could be noise from email forwarding or minor misconfigurations. Check your internal systems and third-party vendors for any unconfigured sending sources.

Why might DKIM fail but DMARC still pass?

DMARC only requires one of SPF or DKIM to pass with alignment for the email to pass DMARC. So, if DKIM fails but SPF passes with alignment, the email will still pass DMARC. However, consistent DKIM failures indicate a configuration issue that should be addressed to strengthen your overall authentication.

How do I address DMARC failures caused by email forwarding?

Email forwarding often breaks SPF authentication because the IP address of the forwarding server isn't included in your original SPF record. While sometimes DKIM can preserve authenticity, it's not guaranteed. To mitigate this, ensure legitimate forwarding services are properly configuring DMARC, or consider using flexible SPF policies.

What should I do if my DMARC report shows high SPF or DKIM failure rates?

High SPF or DKIM failure rates, even if DMARC passes, mean your authentication isn't robust. You should: 1. Verify your SPF and DKIM records for correctness. 2. Ensure all legitimate sending services are included in your SPF record and configured for DKIM. 3. Investigate the specific sources of failures to determine if they are misconfigurations or malicious attempts.

How to interpret DMARC reports, including sender identification and failure types? - Troubleshooting - Email deliverability - Knowledge base

DMARC reports are a critical component of email security, providing invaluable insights into your email ecosystem. They help you understand who is sending emails from your domain, how those emails are being authenticated, and what actions receiving mail servers are taking based on your DMARC policy.

Understanding these reports is essential for protecting your brand from spoofing and phishing attacks, while also ensuring your legitimate emails reach their intended recipients. Without proper interpretation, you might miss critical security gaps or misdiagnose deliverability issues.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Getting started with DMARC reports

DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds upon existing email authentication protocols, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). When you set up a DMARC record, you can specify an email address to receive regular reports from mail servers that process emails from your domain. These reports are crucial for monitoring your domain’s email health.

There are two primary types of DMARC reports: aggregate reports (RUA) and forensic reports (RUF). Aggregate reports are XML files sent daily, providing a summary of email authentication results for your domain. They offer a high-level overview of email volume, authentication passes or failures, and the IP addresses of senders.

Forensic reports, also known as failure reports, are sent when an email fails DMARC authentication. Unlike aggregate reports, these contain detailed information about individual failed messages, including headers and sometimes even the email body. While they provide deep insights, privacy concerns mean that many mailbox providers, like

Google and

Microsoft, rarely send them anymore.

Key aggregate report components

Source IP addresses: Identifies the servers that sent emails using your domain.
Sending volume: Shows the number of emails sent from each source IP.
Authentication results: Details whether SPF and DKIM passed or failed for each email.
DMARC alignment: Indicates if the From: header domain aligned with the SPF or DKIM authenticated domain. Learn more about DMARC passing and identifier alignment.
Policy applied: Shows the action taken by the receiving server (e.g., none, quarantine, reject).

Pinpointing unknown and legitimate senders

One of the first things you'll notice in your DMARC reports is a list of IP addresses and domains that are sending email on behalf of your domain. Your primary goal here is to identify and authorize all legitimate sending sources.

You'll likely see familiar services, such as your marketing ESP (Email Service Provider) like

Iterable, or transactional email providers like

SendGrid. Your DMARC reports may also show senders related to your daily business operations, such as Google Workspace for 1:1 business communications, or services like

DigitalOcean or

Stova. All these senders refer to the business's sending platforms.

It is crucial to verify that every legitimate sender is properly configured with SPF and DKIM records that align with your domain. If you spot unfamiliar IPs or domains, investigate them to determine if they are unauthorized senders attempting to spoof your domain, or legitimate services that need to be authorized. Identifying unrecognized email sending sources is a key step.

Legitimate senders

Known ESPs: Email Service Providers like Mailchimp or HubSpot that you explicitly use.
Transactional services: Services sending password resets, order confirmations, etc.
Internal systems: Your own mail servers or other IT infrastructure.

Unauthorized or suspicious senders

Unrecognized IPs: IP addresses you can't tie to any known service or internal system.
High volume failures: Significant email volumes originating from unauthorized sources, indicating potential spoofing.
Consistent SPF/DKIM failures: Repeated authentication failures from a particular IP, even if the volume is low, might point to misconfigurations or malicious activity.

Deciphering DMARC failure types

DMARC reports detail why emails fail authentication. A common failure type is SPF failure, which occurs when an email is sent from an IP address not listed in your domain's SPF record. This can happen if a legitimate service sends email on your behalf but its IP is not included in your SPF record, or if a spammer uses an unauthorized IP.

Another common issue is DKIM failure. This means the email's digital signature is either invalid, missing, or doesn't align with the domain in the From: header. DKIM failures often point to misconfigurations, incorrect keys, or email tampering. It's important to understand how DMARC reports show authentication results.

It is worth noting that an email can still pass DMARC even if one of these mechanisms fails, as long as the other passes and aligns. For instance, if DKIM fails but SPF passes with alignment, the email still passes DMARC. However, consistently high SPF or DKIM failure rates, even with DMARC passes, indicate underlying configuration issues that should be addressed. Learn why some emails might fail DMARC checks.

Common DMARC failure scenarios

Missing SPF or DKIM records: If either record is not published for a sending source, authentication will fail.
SPF v=spf1 misconfiguration: Incorrectly listed IPs or domains in your SPF record can lead to failures.
DKIM key rotation issues: If DKIM keys are not updated or published correctly, signatures will become invalid.
Subdomain issues: SPF and DKIM need to be correctly configured for all subdomains you send from.
Email forwarding: Can break SPF authentication and sometimes DKIM, leading to DMARC failures even for legitimate emails. Find out more about how email forwarding affects DMARC policies.

Navigating common DMARC reporting challenges

Analyzing DMARC reports can sometimes present challenges. One common point of confusion arises when overall DMARC pass rates look strong, but individual SPF or DKIM rates show significant failures. This often happens due to the nature of DMARC itself: only one of SPF or DKIM needs to pass with alignment for DMARC to pass.

Email forwarding is another major source of seemingly misleading failures. When an email is forwarded, the originating server's IP often changes, breaking SPF. This can lead to DMARC failures for emails that were legitimate but passed through a forwarding service. These failures might not indicate spoofing but rather a characteristic of email routing.

The key is to understand the context of the failures. Low-volume failures or those from unexpected sources might be noise from legitimate email forwarding or even minor networking glitches. High-volume, consistent failures from unknown sources, however, warrant immediate investigation, as they often signal spoofing or unauthorized use of your domain. You can also troubleshoot DMARC failures to improve deliverability.

Failure type	Common cause	Impact
SPF authentication fail	Email sent from an IP not authorized in SPF record.	Can result in DMARC fail if DKIM also fails or is not aligned.
DKIM authentication fail	Invalid signature, missing DKIM record, or message altered in transit.	Can result in DMARC fail if SPF also fails or is not aligned.
SPF alignment fail	The domain in the Return-Path header doesn't match the From header.	Even if SPF passes, DMARC can fail without alignment.
DKIM alignment fail	The domain in the DKIM signature doesn't match the From header.	Even if DKIM passes, DMARC can fail without alignment.

Views from the trenches

Best practices

Continuously monitor all sending sources to maintain DMARC compliance and detect anomalies promptly.

Implement a phased DMARC policy rollout, starting with p=none to gather reports before moving to quarantine or reject.

Regularly review DMARC aggregate reports to identify legitimate services and ensure their proper authentication.

Work with third-party senders to ensure they are correctly authenticating emails on your behalf.

Common pitfalls

Overlooking email forwarding's impact, which can cause DMARC failures for otherwise legitimate emails.

Interpreting high individual SPF or DKIM failure rates as overall DMARC failure when alignment might still pass.

Not correlating unknown sender IPs with potential shadow IT or legitimate but unconfigured services.

Moving to an enforcement policy (p=quarantine or p=reject) too quickly without thorough analysis of reports.

Expert tips

Leverage DMARC reporting tools to simplify the complex XML data into actionable insights for easier analysis.

Be aware that some DMARC failures might be out of your control, such as those caused by legitimate email forwarding chains.

Prioritize investigating high-volume unknown senders first, as they pose the greatest risk for domain spoofing.

Use forensic reports (if available) to gain deeper insight into specific failure instances, but be mindful of privacy.

Marketer view

Marketer from Email Geeks says: My DMARC reports show conflicting data, with great overall deliverability but high daily DKIM failures. It's confusing to reconcile.

September 24, 2024 - Email Geeks

Expert view

Expert from Email Geeks says: DMARC failures can occur even when one authentication method passes, and these failures can result from networking issues, not just spoofing. Assessing their severity requires careful judgment.

September 24, 2024 - Email Geeks

Taking action from your DMARC insights

Interpreting DMARC reports is an ongoing process that empowers you to gain comprehensive visibility into your email traffic. By diligently analyzing sender identification and understanding the nuances of various failure types, you can proactively secure your domain against abuse.

This detailed understanding allows for informed decision-making, enabling you to refine your DMARC policies from a monitoring stance to quarantine or even reject, significantly enhancing your email deliverability and protecting your brand reputation. For a broader perspective on common email issues, see why your emails are going to spam.