Viewing DMARC Reports

DMARC reports are the raw intelligence behind SpoofWard's analysis. This guide explains how to access, understand, and use DMARC reports to improve your email security.

Types of DMARC Reports

Aggregate Reports (RUA)

What they contain:

• Summary statistics from receiving mail servers
• Count of messages passing/failing authentication
• Breakdown by SPF/DKIM alignment status
• Sender IP addresses and organizations
• Policy evaluation results

Frequency: Sent daily (once per 24-hour period)

Format: XML file compressed in an email

Use case: Understand overall authentication patterns and identify trends over time

Forensic Reports (RUF)

What they contain:

• Detailed information about EVERY message that failed authentication
• Message headers (From, To, Subject, Date)
• Authentication result details (SPF/DKIM pass/fail reasons)
• Sender IP address and reverse DNS
• DMARC policy applied

Frequency: Sent per-message (real-time, large volume)

Format: Human-readable or XML

Use case: Investigate specific authentication failures and identify sources of spoofing attempts

Accessing Reports in SpoofWard

Aggregate Reports

Navigate to DMARC > Reports in the dashboard:

1. Select your domain from the dropdown
2. Choose date range (last 7 days, 30 days, custom)
3. View the report table with columns:

• Date - Report date
• Messages - Total volume
• Pass Rate - Percentage passing authentication
• Top IPs - Primary senders
• Details - Click to expand

Click any row to see granular data:

• SPF pass/fail breakdown
• DKIM pass/fail breakdown
• DMARC alignment status
• Policy disposition (none, quarantine, reject)

Forensic Reports

Navigate to DMARC > Forensic:

1. Select domain
2. Filter by:

• Date range
• Failure reason (SPF misalignment, DKIM misalignment, etc.)
• Source IP

1. View individual failure events:

• Email metadata (headers, sender)
• Authentication details
• IP reputation
• Your response (allow, block, investigate)

Understanding Report Data

SPF Alignment

The report shows:

• SPF Pass - Message signature validated against SPF record
• SPF Fail - Signature doesn't match SPF record
• SPF Neutral - SPF doesn't apply (rare)

Alignment requires:

1. SPF passes for the sending IP
2. The "From" header domain matches the SPF domain (DMARC alignment mode)

DKIM Alignment

• DKIM Pass - Email signature validated using published DKIM key
• DKIM Fail - Signature invalid or key not found
• DKIM Neutral - DKIM doesn't apply

Alignment requires:

1. DKIM signature validates
2. Signing domain matches "From" header domain (relaxed or strict mode)

DMARC Disposition

The action taken based on policy:

• None - Policy is p=none; mail accepted (monitoring)
• Quarantine - Policy is p=quarantine; failed mail sent to spam
• Reject - Policy is p=reject; failed mail rejected by receiving server

Analyzing Report Trends

Compliance Score Trend

Over time, track your authentication score:

• Baseline - Where you started (often 50-70% for new domains)
• Progress - As you configure senders, score increases
• Target - Goal is 95%+ pass rate

Look for:

• Upward trend indicating fixes are working
• Sudden drops indicating new unauthenticated senders
• Plateaus where you're missing authorized sources

Sender Trends

Identify which senders are failing authentication:

• Large volume, high failure rate - High priority fix
• Small volume, high failure rate - May not matter as much
• Known service, failing - Likely misconfiguration (needs SPF/DKIM setup)
• Unknown service, failing - Possible phishing attempt or unauthorized sender

Geographic Patterns

Receiving mail servers by country/region:

• Domestic concentration - Most reports from expected regions
• Unusual geographic sources - May indicate attacks or misconfiguration
• Concentration by service - Gmail, Outlook, Yahoo reports dominate (expected)

Troubleshooting With Reports

Low Pass Rate?

1. Identify the biggest failure sources (top failing IPs)
2. Determine if they're legitimate senders:

• Known service (SendGrid, Office 365, etc.)? → Configure SPF/DKIM
• Unknown IP? → Investigate or block

1. Add them to SPF record with proper authorization

Spike in Failures?

1. Check the date of the spike
2. Did something change? (New marketing campaign, email migration, etc.)
3. Was a new sender added without configuration?
4. Enable forensic reports to see exact failure details

Unexpected Rejections (p=reject mode)?

1. Check forensic reports for failure reasons
2. Identify the sender/IP
3. Add to SPF/DKIM or mark as authorized
4. Revert to p=quarantine if too aggressive

Exporting Reports

Download raw report data for external analysis:

Export Formats

• CSV - Spreadsheet format for Excel/Google Sheets
• JSON - Structured data for programming/automation
• XML - Raw DMARC report format
• PDF - Formatted report for stakeholders

Custom Reports

Use SpoofWard's reporting tools to generate:

• Executive Summary - High-level security posture for management
• Detailed Analysis - Full sender breakdown with recommendations
• Enforcement Readiness - Assessment of when you can move to p=quarantine or p=reject
• Threat Report - Suspicious activity and phishing attempts

Report Filtering

Filter reports to focus on specific issues:

• Date range - Compare week-over-week or month-over-month
• Failure type - SPF/DKIM/alignment mismatches only
• Sender IP - Deep dive into a specific IP address
• Result - Pass/fail/neutral only
• Domain - If monitoring multiple domains

Advanced Analysis

IP Reputation Research

For each sender IP:

• Reverse DNS - Hostname associated with the IP
• ASN/Organization - Company/network owning the IP
• Threat Intelligence - Is it flagged as malicious?
• Historical Status - How long has this sender been active?

Click any IP to see detailed threat intelligence (Pro+ plans only).

Forensic Deep Dives

Forensic reports show individual failures. For each:

• Email Header - Full message metadata
• Authentication Result - Exact reason for failure
• Your Actions - Did you allow, block, or investigate?
• Context - Is this an expected sender?

Header Analysis

SpoofWard's email header analyzer can parse complex failures:

1. Copy the full email header
2. Paste into the header analyzer tool
3. Get detailed breakdown of authentication results
4. Identify the exact problem

Best Practices

Review Reports Weekly

Stay on top of trends and catch issues early.

Track Pass Rate Progress

Set internal targets (85%+ soon, 95%+ as goal) and monitor progress.

Investigate New Senders

When DMARC reports show a new IP/sender, investigate immediately rather than waiting.

Automate Actions

Use SpoofWard's API to automatically mark senders as authorized or blocked based on criteria.

Archive for Compliance

Keep historical reports for audits and compliance (often required by regulations).

Common Questions

Why is my pass rate lower than expected?

Check for:

• Senders not in your SPF record
• DKIM keys not published or incorrect
• Subdomains sending without their own DMARC policy
• Forwarding services not configured for DMARC alignment

Can I get reports for historical data?

Yes. DMARC reports are archived for 90 days. You can request older data by exporting.

What if I'm not receiving any reports?

Check:

• Your DMARC record has rua=mailto:[email protected]
• No email is being sent from your domain (no reports will be generated)
• SPF record includes your mail server
• Check spam folder for reports from other providers

How do I know if reports are reliable?

Reports come from receiving mail servers worldwide. More volume = more reliable data. Small sender counts may show variance.

Related Documentation

• Email Source Discovery - Managing senders automatically detected in reports
• Domain Overview - Dashboard overview of key metrics
• DMARC Enforcement - Using report data to plan policy progression