DMARC Reports Guide
Understand DMARC aggregate reports, alignment results, source discovery, and policy rollout using Postscale.
TL;DR
DMARC aggregate reports show who is sending as your domain and whether mail passes SPF or DKIM alignment. Use reports to discover legitimate senders, fix failures, and move policy from p=none to enforcement with evidence.
What you will learn
- Read the core fields in DMARC aggregate reports
- Identify legitimate, unknown, and failing senders
- Use report trends to move safely toward quarantine or reject policy
What aggregate reports show
DMARC aggregate reports are XML files sent by mailbox providers. They summarize authentication results for mail claiming to be from your domain.
Useful fields include:
- Source IP.
- Message count.
- Disposition.
- SPF result.
- DKIM result.
- Header From domain.
- Alignment pass or fail.
Postscale parses those reports so you do not need to inspect XML manually.
Start with source discovery
Before enforcing DMARC, identify every legitimate sender:
| Source type | Example |
|---|---|
| Product email | Postscale transactional mail |
| Workplace mail | Google Workspace or Microsoft 365 |
| Billing systems | Stripe or invoicing software |
| Support tools | Help desk platforms |
| Marketing tools | Consent-based newsletter systems |
Unknown sources are not always malicious. Some are forgotten SaaS tools.
Fix alignment failures
DMARC cares about alignment with the visible From domain.
Common fixes:
- Configure DKIM for each third-party sender.
- Use a custom Return-Path where SPF alignment matters.
- Stop services from sending as the root domain when they cannot authenticate.
- Move risky mail to a subdomain.
If a source cannot pass SPF or DKIM alignment, it should not send as the protected domain.
Roll out policy gradually
Use reports to move in stages:
_dmarc.example.com. TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"
Then:
- Fix known legitimate failures.
- Move to
p=quarantine; pct=25. - Watch reports for false positives.
- Increase
pct. - Move to
p=rejectwhen stable.
Do not skip the monitoring stage unless the domain has no legitimate mail.
Investigate spikes
Spikes often indicate:
- A new product integration.
- A marketing campaign.
- Forwarding behavior.
- A spoofing attempt.
- A DNS or DKIM rotation mistake.
Cross-check with deployment history before assuming abuse.
Frequently asked questions
- Do DMARC reports contain message content?
- Aggregate reports normally contain authentication results and source metadata, not message bodies.
- Why do I see sources I do not recognize?
- They may be legitimate third-party senders, forwarding paths, or spoofing attempts. Verify before blocking.
Put the guide into production
Postscale brings sending, inbound processing, DMARC reporting, and masked addresses behind one API so the operational pieces stay connected.