--- title: "How to Read DMARC Reports: A Practical Guide to Understanding Aggregate and Forensic XML" description: "DMARC aggregate reports are XML files that show who sends email from your domain and whether authentication passes. This guide explains every field in the XML, what the results mean, and how to act on them." image: "https://dmarcreport.com/og/blog/how-to-read-dmarc-reports-guide-2026.png" canonical: "https://dmarcreport.com/blog/how-to-read-dmarc-reports-guide-2026/" --- Quick Answer DMARC aggregate reports (RUA) are XML files containing: the reporting organization, your DMARC policy, and a list of records - each showing a source IP, message count, SPF result, DKIM result, and DMARC disposition (none/quarantine/reject). To read t Related: [Free DMARC Checker](/tools/dmarc-checker/) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fhow-to-read-dmarc-reports-guide-2026%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=How%20to%20Read%20DMARC%20Reports%3A%20A%20Practical%20Guide%20to%20Understanding%20Aggregate%20and%20Forensic%20XML&url=undefined%2Fblog%2Fhow-to-read-dmarc-reports-guide-2026%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fhow-to-read-dmarc-reports-guide-2026%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fhow-to-read-dmarc-reports-guide-2026%2F&title=How%20to%20Read%20DMARC%20Reports%3A%20A%20Practical%20Guide%20to%20Understanding%20Aggregate%20and%20Forensic%20XML "Share on Reddit") [ ](mailto:?subject=How%20to%20Read%20DMARC%20Reports%3A%20A%20Practical%20Guide%20to%20Understanding%20Aggregate%20and%20Forensic%20XML&body=Check out this article: undefined%2Fblog%2Fhow-to-read-dmarc-reports-guide-2026%2F "Share via Email") ![How to Read DMARC Reports: A Practical Guide to Understandin](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-report-4236.jpg) ## Try Our Free DMARC Checker Validate your DMARC policy, check alignment settings, and verify reporting configuration. [ Check DMARC Record → ](/tools/dmarc-checker/) \*\*DMARC aggregate reports are XML files that list every IP address that sent email from your domain, how many messages each sent, and whether SPF, DKIM, and DMARC passed or failed for each source. They’re sent by receiving mail servers (Gmail, Outlook, Yahoo, etc.) to the address you specified in your DMARC record’s `rua=` tag - typically once per day. DMARC ([RFC 7489](https://datatracker.ietf.org/doc/html/rfc7489)) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible `From` header. According to Google’s February 2024 bulk sender requirements, a DMARC policy of at least `p=none` is now mandatory for any domain sending 5,000+ messages per day to Gmail users. > From an operations standpoint, the difference between a domain with DMARC monitoring and one without is visibility, says Vasile Diaconu, Operations Lead at DuoCircle. We see organizations discover unauthorized senders they didn’t know existed within 48 hours of enabling DMARC reporting. That visibility alone justifies the setup time. The problem: raw DMARC XML reports are unreadable. A single day’s reports from a domain with moderate email volume can contain dozens of XML files, each with hundreds of records. That’s why [DMARC Report](/) exists - it parses and visualizes them automatically. ## What Does a DMARC Aggregate Report Look Like? Here’s a simplified example of the key XML structure: As of 2025, DMARC is mandatory under multiple compliance frameworks. [CISA BOD 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) requires p=reject for US federal domains. [PCI DSS v4.0](https://www.pcisecuritystandards.org/) mandates DMARC for organizations processing payment card data as of March 2025\. Google and Yahoo require DMARC for bulk senders (5,000+ messages/day) since February 2024, and [Microsoft began rejecting](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) non-compliant email in May 2025\. The UK [NCSC](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing), Australia’s [ASD](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-email), and Canada’s [CCCS](https://www.cyber.gc.ca/en/guidance/implementation-guidance-email-domain-protection) all mandate DMARC for government domains. Cyber insurers increasingly require DMARC enforcement as an underwriting condition. ``` google.com 1711929600 1712016000 yourdomain.com

reject

reject r r 209.85.220.41 1523 none pass pass ``` ## What Do the Fields Mean? | Field | Meaning | | ----------- | ------------------------------------------------------------------------------- | | org\_name | Which receiver sent this report (google.com, outlook.com, yahoo.com, etc.) | | date\_range | The time period covered (Unix timestamps) | | domain | Your domain being reported on | | p | Your published DMARC policy | | source\_ip | The IP address that sent email from your domain | | count | How many messages this IP sent during the reporting period | | disposition | What the receiver did: none (delivered), quarantine (spam), or reject (blocked) | | dkim | DKIM result: pass or fail | | spf | SPF result: pass or fail | ## How Do You Read the Results? **Look for three things:** 1\. **Sources with `pass` on both DKIM and SPF** \- these are your legitimate, properly configured senders. No action needed. 1. **Sources with `fail` on SPF or DKIM but legitimate IPs** \- these are your real senders that aren’t properly authenticated. Fix their SPF/DKIM configuration. 2. **Sources with `fail` on both from unknown IPs** \- these are unauthorized senders (potentially spoofing your domain). When you move to `p=reject`, these get blocked. ## Why Not Read XML Manually? - A medium-traffic domain receives 10-50 XML reports per day from different receivers - Each report can contain hundreds of source IP records - You’d need to reverse-DNS every IP to identify the sender - Tracking trends over time requires a database **[DMARC Report](/) solves all of this** \- it ingests XML automatically, identifies senders by name (Google, Microsoft, SendGrid, etc.), tracks trends, and alerts you to unauthorized senders. [Start analyzing your DMARC reports →](https://app.dmarcreport.com/) [Check your DMARC record →](/tools/dmarc-checker/) ## Sources - [CISA Binding Operational Directive 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) - [Microsoft Outlook DMARC Enforcement May 2025](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) (2025) - [PCI DSS v4.0 - DMARC Requirement](https://www.pcisecuritystandards.org/) (2025) - [RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC)](https://datatracker.ietf.org/doc/html/rfc7489) ## Topics [ DMARC ](/tags/dmarc/)[ email security ](/tags/email-security/) ![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Take control of your DMARC reports Turn raw XML into actionable dashboards. Start free - no credit card required. [Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) ## Related Articles [ Foundational 8m 10 Critical Learnings From Verizon’s 2021 DBIR - A DMARCReport Perspective Nov 25, 2025 ](/blog/10-critical-learnings-from-verizons-2021-dbir-a-dmarcreport-perspective/)[ Foundational 12m 10 DNS Blacklist Insights That Improve Email Security And Deliverability Fast Nov 14, 2025 ](/blog/10-dns-blacklist-insights-to-improve-email-security-and-deliverability/)[ Foundational 12m 10 Email Spoofing Detection Tools That Dramatically Improve Brand Protection Nov 11, 2025 ](/blog/10-email-spoofing-detection-tools-that-dramatically-improve-brand-protection/)[ Foundational 12m 10 Reasons SPF Filtering Is Critical For Email Security Nov 19, 2025 ](/blog/10-reasons-spf-filtering-is-critical-for-email-security/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"How to Read DMARC Reports: A Practical Guide to Understanding Aggregate and Forensic XML","description":"DMARC aggregate reports are XML files that show who sends email from your domain and whether authentication passes. This guide explains every field in the XML, what the results mean, and how to act on them.","url":"https://dmarcreport.com/blog/how-to-read-dmarc-reports-guide-2026/","datePublished":"2026-03-30T00:00:00.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2026-03-30T00:00:00.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/how-to-read-dmarc-reports-guide-2026/"},"articleSection":"foundational","keywords":"DMARC, email security","wordCount":2500,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-report-4236.jpg","caption":"How to Read DMARC Reports: A Practical Guide to Understandin","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"How to Read DMARC Reports: A Practical Guide to Understanding Aggregate and Forensic XML","item":"https://dmarcreport.com/blog/how-to-read-dmarc-reports-guide-2026/"}]} ```