Beta testing is now live. We are looking for beta testers - use the contact form to sign up.
DMARCHubDMARCHub
Using DMARC

How to read a DMARC aggregate report

Updated 4 June 2026 · 6 min read

A DMARC aggregate report (RUA) is an XML file a receiver sends you, usually once a day. It summarises every message that claimed to be from your domain during that period, grouped by sending IP address, with the SPF, DKIM and alignment result for each group. Read together, these reports show you every system sending mail as you - the legitimate ones and the impostors.

What is in a report

Each report opens with metadata: who produced it, the date range it covers, and the policy you had published at the time. Then comes a series of records. Each record is one sending source, with a count of messages and the authentication results for that source.

Source IPs and volume

The source IP and message count tell you who is sending and how much. A familiar IP with a high count is usually your mail provider or a marketing platform. An unfamiliar IP sending in your name is the thing DMARC exists to surface. Volume matters: a single failing message is noise, a thousand a day is a signal.

Pass and fail

For each source you get an SPF result and a DKIM result, plus the DMARC disposition - what the receiver did (none, quarantine or reject) based on your policy. A source can pass one check and fail the other; DMARC only needs one to pass with alignment for the message to be treated as authenticated.

Alignment is the key column

The result that matters is alignment, not the raw SPF or DKIM pass. A message can pass SPF for some other domain and still fail DMARC because that domain does not match your visible From address. When you see passing SPF but failing DMARC, alignment is almost always the reason.

Turning reports into action

Work top down by volume. For each failing source, decide: is this a legitimate service I forgot to authenticate, or is it spoofing? Authenticate the legitimate ones by adding them to SPF or setting up DKIM signing. Once your real mail passes cleanly, you can raise your policy from none to quarantine to reject with confidence. Parsing every receiver's XML by hand does not scale, which is the job a DMARC reporting service does for you.

Frequently asked questions

Why are DMARC reports in XML?

The aggregate report format is defined by the DMARC standard as XML so that any tool can parse it. The files are meant for machines, not people, which is why a reporting service that turns them into a dashboard is worth having.

How often do DMARC reports arrive?

Most receivers send one aggregate report per day per domain. You will receive separate reports from Google, Microsoft, Yahoo and others, each covering the mail they saw from you that day.

What should I act on first?

Start with high-volume sources that fail alignment. Those are either a legitimate sender you have not authenticated yet, or someone spoofing you. Identify and fix the legitimate ones before you tighten your policy.

DMARCHub turns these reports into a clear picture, hosted in the UK.

See how DMARCHub helps