DMARC Reports: How to read and use them

This article explains how to interpret the daily DMARC reports sent by receiving mail servers.

Introduction:

DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, is an email authentication protocol. It adds an extra layer of security by building on existing mechanisms (SPF and DKIM) to effectively prevent identity spoofing and phishing attempts. DMARC also allows domain owners to receive reports on emails sent in their name to better control the use of their domain.

This standard helps protect your domain from fraudulent use by spammers, who may forge the sender address (“From”) to make it appear that the email comes from a legitimate user of your domain. DMARC prevents this type of forgery by ensuring that emails are authorized to be sent on behalf of your domain.

DMARC relies on other standard authentication protocols, such as SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), to help administrators identify fraudulent emails sent by cyber attackers. By combining these mechanisms, DMARC enhances the ability to detect spoofing attempts and protect the domain’s reputation.

Note: When you authenticate your domain on systeme.io, the SPF and DKIM records are automatically added to your domain.

The DMARC protocol allows senders to define a policy specifying how receiving servers should handle emails that fail SPF or DKIM checks. According to this policy, non-compliant messages can be marked as spam or outright rejected.

What are DKIM and SPF?

1. DKIM (DomainKeys Identified Mail)

DKIM is an email authentication method that uses a digital signature to allow recipients to verify that a message was sent by an authorized sender and was not altered in transit.

When an email is sent, it is signed using a private key associated with the sender's domain. Upon receipt, the recipient's email server (like Gmail, Outlook, etc.) uses a public key published in the domain’s DNS to validate the signature. This ensures the email content hasn’t been tampered with during transit.

In other words, DKIM prevents a third party from intercepting an email, modifying its content, and sending it with potentially fraudulent information.

Another major advantage of DKIM is that it helps build your sending domain's reputation. Internet Service Providers (ISPs) analyze sending quality (spam rates, bounce rates, recipient engagement, etc.) to evaluate domain trustworthiness. Adhering to these best practices directly improves your email deliverability.

2. SPF (Sender Policy Framework)

SPF is an email authentication protocol that allows ISPs, such as Gmail, to verify whether a mail server is authorized to send messages on behalf of a domain. Essentially, it is an allowlist declared in the domain’s DNS that specifies which services or IP addresses are allowed to send emails on your behalf.

When a message is received, the destination server checks if the sender is on the allowed list defined in the SPF record. If not, the message can be flagged as suspicious or rejected.

What are the benefits of DMARC?

Protect your domain’s reputation

DMARC protects your brand and domain against spoofing attempts. It prevents unauthorized senders from sending emails on your behalf. In some cases, simply publishing a DMARC record can improve your domain’s reputation with email providers.

Better visibility into domain usage

DMARC reports provide clear insight into how your domain is being used, legitimately or otherwise. You can see who is sending emails in your name and quickly identify any suspicious activity.

Improve email deliverability

DMARC verifies that your emails are correctly authenticated via SPF and DKIM. By detecting and correcting authentication issues, you increase the chances of your emails reaching recipients’ inboxes while reducing the risk of being flagged as spam.

Reduce spam and complaints

By preventing forged emails from reaching end-users, DMARC helps reduce spam complaints and protect your domain’s reputation with ISPs.

DMARC reports allow you to analyze email authentication results and take action to protect your domain or business reputation.

A DMARC report typically includes the following information:

  • Entity name (organization or provider) generating the report
  • Reporting period (start and end dates)
  • Authentication status: pass or fail for SPF and DKIM
  • SPF/DKIM alignment: whether records align correctly with the sending domain
  • Sender IP address of the analyzed message
  • Action taken by the receiving server (accepted, quarantined, or rejected)

These reports provide valuable visibility into email flows using your domain and help detect any spoofing attempts.

Benefits of tracking DMARC reports

Regular monitoring of DMARC reports offers several key benefits for domain administrators:

  • Identify and fix authentication issues

    Reports reveal SPF and DKIM failures that could cause your emails to land in spam. Correcting these errors improves both your domain reputation and email deliverability

  • Enhanced control over sending sources

    Using report data, you can ensure all emails sent from your domain come from legitimate sources, quickly detecting spoofing or unauthorized sending attempts

  • Compliance with regulatory requirements

    With the growing volume of email communications, many authorities, including email providers like Google, require implementation of authentication protocols like DMARC. For example, starting February 2024, Google requires certain senders to comply with these standards to maintain platform security

  • Proof of compliance

    Archived copies of your DMARC reports can serve as tangible evidence of compliance with security standards and email communication regulations

Example of a DMARC report

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
<report_metadata>
<org_name>emailsrvr.com</org_name>
<email>dmarc_reports@emailsrvr.com</email>
<extra_contact_info>http://emailsrvr.com</extra_contact_info>
<report_id>ff2d7a69-d5a4-4caa-a69b-04814ac885e9</report_id>
<date_range>
<begin>1705795200</begin>
<end>1705881600</end>
</date_range>
</report_metadata>
<policy_published>
<domain>yourdomain.com</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>none</p>
<sp>none</sp>
<pct>100</pct>
</policy_published>
<source_ip>XXX.XXX.XXX.XXX</source_ip>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
<header_from>yourdomain.com</header_from>
<spf>
<domain>yourdomain.com</domain>
<result>pass</result>
</spf>
<dkim>
<domain>domain.com</domain>
<result>pass</result>
</dkim>
<dkim>
<domain>domain.com</domain>
<result>pass</result>
</dkim>

How to read a DMARC report:

You have two options: manual analysis or using AI assistance.

A) Manually break down and interpret a DMARC report

The breakdown is based on the example above:

  1. Your ISP, the name of your email service provider:
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
<report_metadata>
<org_name>emailsrvr.com</org_name>
<email>dmarc_reports@emailsrvr.com</email>
<extra_contact_info>http://emailsrvr.com</extra_contact_info>
  1. Report identification number:
<report_id>ff2d7a69-d5a4-4caa-a69b-04814ac885e9</report_id>
  1. Date range (start and end in seconds):
<date_range>
<begin>1705795200</begin>
<end>1705881600</end>
</date_range>
  1. DMARC record specifications as published in your domain’s DNS:
<policy_published>
<domain>yourdomain.com</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>none</p>
<sp>none</sp>
<pct>100</pct>
</policy_published>
  1. Sending source IP address:
<source_ip>XXX.XXX.XXX.XXX</source_ip>
  1. Authentication results summary (SPF/DKIM pass/fail):
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
  1. From: domain:
<header_from> yourdomain.com</header_from>
  1. SPF authentication results:
<spf>
<domain>si116382.yourdomain.com</domain>
<result>pass</result>
</spf>
  1. DKIM authentication results:
<dkim>
<domain>inbound.systeme.io</domain>
<result>pass</result>
</dkim>
<dkim>
<domain>domain.com</domain>
<result>pass</result>
</dkim>

B) Use AI such as ChatGPT to analyze a DMARC report

You can use AI tools, like ChatGPT, to analyze and interpret a DMARC report. This section shows step-by-step instructions.

  1. Locate the DMARC report

Open the email containing the XML attachment (these are usually sent automatically by receiving mail servers).

  1. Open the XML file

After downloading, open it with a simple text editor like Notepad (Windows) or TextEdit (Mac).

  1. Copy the content

Select the entire XML content and copy it.

  1. Paste it into ChatGPT

Go to ChatGPT and paste the XML content into the chat window. You can ask, for example:

“Can you analyze this DMARC report and tell me if any emails failed SPF or DKIM checks?”

  1. Interpret the results

ChatGPT will analyze the report tags and provide a clear, structured explanation of the data: sender, SPF/DKIM results, IP address used, action taken (accepted, quarantined, rejected), etc.

Our recommendations for going further

Now that you understand how to implement DMARC, its benefits, and how to interpret reports, you have completed a critical first step in protecting your domain’s reputation.

However, as a domain owner, your responsibility doesn’t stop there: this is an ongoing process that requires regular monitoring and adjustments.

Here are some ongoing best practices:

  • Regularly monitor your DMARC reports

    Check reports frequently to spot any unauthorized sending attempts.

  • Analyze the data and take corrective actions

    Quickly fix any authentication issues (SPF/DKIM) and adjust your policy as needed to strengthen sending security.

  • Use your domain responsibly

    Follow good sending practices (qualified contact lists, low spam rates, relevant content) to maintain your domain reputation and email deliverability

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.