Understanding DMARC Aggregate Reports — What the XML Is Telling You

Name: DMARC Analyzer Pro
Availability: InStock
Author: DMARC Analyzer Pro

March 2, 2025 · DMARC Analyzer Pro

DMARC aggregate reports contain vital data about your email security posture. Learn how to read these XML reports and what to look for.

You've published your DMARC record, set up an RUA address, and the reports are streaming in. Now what? The XML files arriving in your inbox — sometimes dozens per day — contain a wealth of information, but making sense of them manually is a challenge.

Anatomy of a DMARC aggregate report

Every aggregate report follows the same XML schema. At the top level, you'll find metadata about the reporting organisation (the receiving server that generated it), the date range the report covers, and your published DMARC policy. Below that, the report contains individual `` elements, each representing a group of messages from the same source IP that had identical authentication results.

Each record includes the source IP address, the count of messages from that IP, the policy that was applied, and the authentication results for both SPF and DKIM — including whether they aligned with your domain.

What to look for

The first thing to examine is the overall pass/fail ratio. A healthy domain will show the vast majority of messages passing both SPF and DKIM with proper alignment. If you see a significant number of failures, you need to investigate the source IPs.

Look at the source IPs for failed messages. Are they yours? If a known IP is failing SPF, you likely have a configuration issue — perhaps a sending service that's not included in your SPF record. If the IPs are unfamiliar, they might belong to forwarding services (which can legitimately break SPF) or to malicious actors trying to spoof your domain.

Pay special attention to DKIM alignment failures. If a message passes DKIM but the signing domain doesn't align with your From domain, the DKIM check won't satisfy DMARC. This is a common issue with third-party senders that sign with their own domain rather than yours.

Volume matters

Don't just look at pass/fail rates — look at volumes. A single IP sending thousands of messages that fail both SPF and DKIM is a strong indicator of a spoofing campaign. On the other hand, small volumes of failures from well-known mail forwarding services are usually benign.

Why you need automation

A single day's reports can contain data from hundreds of unique source IPs across dozens of reporting organisations. Multiplied across weeks and months, the volume becomes unmanageable without dedicated tooling.

DMARC Analyser Pro processes your aggregate reports automatically, extracting the data points that matter and presenting them in clear dashboards. You get trend analysis, anomaly detection, and alerting — turning raw XML into actionable intelligence without the manual effort.