What is a DMARC aggregate report?

Imagine starting your day with a hot cup of coffee, ready to tackle your inbox, only to find it’s been bombarded overnight. Not with urgent emails from your boss or updates from your team—but with a relentless flood of delivery failures and spam complaints.

You could start manually opening your DMARC reports to figure out what’s happening, but that could be a nightmare, especially if you have dozens (or hundreds) of reports to sift through.

Fortunately, there’s a better way: DMARC aggregate reports.

DMARC aggregate reports provide a high-level overview of your email-sending status. Trends, volumes, rejections, errors—it’s all bundled up nicely in one easy-to-digest report sent to you daily.

Are you new to DMARC aggregate reports and how they work? You’ve come to the right place. Below, we’ll walk you through everything you need to know to start using these messages to better understand (and protect) your domain.

What is DMARC?

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email security protocol that tells inbox providers what to do if a message fails authentication. DMARC might tell the provider to deliver it to the recipient anyway, send it to the spam folder, or delete it permanently.

DMARC works together with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to verify the authenticity of email messages.

• SPF lets email senders define which IP addresses can send messages for a particular domain.
• DKIM adds a digital signature to every outgoing message to guarantee the content remains unchanged from send to receipt.
• DMARC uses these results to decide the legitimacy of an email.

Here’s how DMARC protects your business and customers:

1. Alignment Checking: DMARC checks that the domain in the sender’s address matches the domains validated by SPF and/or DKIM. If they align, DMARC gives a thumbs up, helping legitimate emails land in inboxes.
2. Policy Enforcement: Senders can set policies in their DMARC record that tell receiving email servers how to treat emails that don’t pass the DMARC checks. These policies can range from none (report the issue but do nothing) to quarantine (pass the email into the spam folder) to reject (block the email outright).
3. Reporting: DMARC reports provide feedback on all emails, letting senders know which messages are passing or failing DMARC checks.

What is a DMARC aggregate report?

DMARC provides two different types of reports: Aggregate and Forensic.

Aggregate reports (XML-Based)

Aggregate reports are sent daily. They provide a high-level overview of all email traffic claiming to come from your domain. They reveal how many emails were delivered, how many were rejected, and the reasons why your emails might not be getting delivered.

Forensic reports (Failure reports)

Forensic reports provide real-time insights into individual emails that fail DMARC evaluation. It includes details like the email header and any red flags that triggered the failure. However, privacy concerns make these reports less common (and they often contain redacted information).

Anatomy of a DMARC aggregate report

DMARC aggregate reports can look a little bit overwhelming at first, but once you know what you’re looking at, it becomes much more approachable. Here’s a detailed walkthrough of what you’ll typically find in your aggregate reports:

1. Report metadata

This section tells you who prepared the report, for whom, and the covered period:

• Report ID: A unique identifier for the report.
• Date Range: The specific time frame during which the email activities were monitored.
• Organization Name: The entity that generated the report, usually an email service provider or a security vendor.
• Contact Information: How to contact the organization in case you have questions.

2. Record blocks

Each record block details a set of DMARC evaluations based on a combination of IP address and policy enforcement:

• Source IP: The originating IP address of the emails evaluated.
• Count of Messages: The total number of emails sent from this IP during the reporting period.
• Policy Evaluated: The DMARC policy applied to these messages (none, quarantine, or reject), and whether the action was in line with the policy or overridden.
• DKIM and SPF Results: Explains whether emails from this IP passed or failed DKIM and SPF evaluations.

3. Identifying trends

One-off aggregate reports can tell you a short story about your email authentication status, but they’re best used in combination with a collection of reports to monitor ongoing progress. For example, a high number of failures from a particular IP over time might indicate a spoofing attempt or a configuration error in your email servers.

Take a look at this DMARC aggregate report example:

<record>

<row>

<source_ip>192.168.1.1</source_ip>

<count>1023</count>

<policy_evaluated>

<disposition>none</disposition>

<dkim>pass</dkim>

<spf>fail</spf>

</policy_evaluated>

</row>

<identifiers>

<header_from>example.com</header_from>

</identifiers>

<auth_results>

<dkim>

<domain>example.com</domain>

<result>pass</result>

</dkim>

<spf>

<domain>example.com</domain>

<result>fail</result>

</spf>

</auth_results>

</record>

This snippet shows a typical entry where emails from IP 192.168.1.1 mostly passed DKIM but failed SPF checks. The disposition here is none, indicating no action was taken despite SPF failure (possibly due to the policy set by the domain owner).

Why DMARC aggregate reports matter

DMARC aggregate reports aren’t just another email in your inbox—they are jam-packed with juicy insights into everything from your security and engagement to your brand reputation and authentication standards.

Here’s how these reports can help your business and email program:

• Boost Email Deliverability: Identify problems with email deliverability to make necessary adjustments. For example, legitimate emails might be flagged—changing your policies or approved domains could fix this issue.
• Improve Security and Compliance: DMARC prevents bad actors from impersonating your brand or maliciously using your domain. Understanding your DMARC status and success helps you maintain control.
• Gain Strategic Insights: See the real-time impact on email delivery and response rates when you set and adjust your DMRC policies.
• Build Trust: Proper DMARC enforcement builds trust with your customers and partners—they know the emails they get from you are actually from you and not imposters.

6 tips to help you read (and use) your aggregate reports

DMARC aggregate reports contain a lot of raw XML data. While you can generally sift through this to find the exact information you need, this can get tedious (and prone to error) when you do it day after day.

Here are a few tips to help you better use your aggregate reports:

1. Use a DMARC analysis solution

Valimail Enforce analyzes your DMARC reports and gives you the findings in an easy-to-read format with charts and graphs. It highlights key issues and tracks performance over time to help you spot trends and recurring problems.

2. Review consistently

Reading one-off reports will not give you the richness of insights that come with consistency. Make it a routine to check your DMARC reports regularly (whether daily, weekly, or monthly). Don’t wait for problems to escalate before you start digging into the data.

3. Focus on the details

Pay attention to IPs that frequently send large volumes of email that fail DMARC checks. Investigating these often reveals unauthorized use of your domain or configuration errors.

4. Analyze trends over time

Don’t just look at individual reports in isolation. Analyze them over a period to identify long-term trends and effects of any changes you’ve made to your email policies or configurations.

5. Act on the insights

Use the insights gained from these reports to refine your SPF and DKIM configurations, adjust your DMARC policies, and address any alignment issues. Create a feedback loop where you review changes in subsequent reports to monitor their impact.

6. Document your findings and actions

Maintain a log of issues identified, actions taken, and outcomes achieved. This can help with future troubleshooting and planning. Plus, it helps in documenting compliance with specific regulatory requirements.

Skip the raw IP data with Valimail

Reading DMARC reports can be a chore. All the raw IP data and complex XML reports make finding problems and actionable insights more tedious than necessary.

Here’s how Valimail Enforce can simplify this process:

• Hassle-Free Monitoring: Valimail provides a monitoring solution that identifies up to 100% of your services by name (not just by IP).
• Quick Identification: Quickly identify and authorize all legitimate senders while easily spotting any bad actors.
• Global Visibility: Gain a comprehensive view of all senders from your domains to maintain total control over your email ecosystem.
• Control Shadow IT: Discover and manage non-authorized cloud-sending services that might be using your domain without your knowledge.
• Unmatched Discovery: Use Valimail’s advanced capabilities to uncover third-party emailing services.
• Compliance and Security: Stay compliant with no risk to personally identifiable information (PII), maintaining high data privacy and security standards.

Valimail Enforce offers world-class sender identification technology that analyzes DMARC aggregate report data and presents it in an easy-to-digest format. Want to see how you can analyze the number of emails passing and failing DMARC-aligned SPF or DKIM or known sending services using your domain as far back as six months?