How to Read DMARC Reports — Find Who's Breaking Your Email Auth

DMARC aggregate reports are the only way to know if your SPF and DKIM are both passing. Postmaster's green checkmark doesn't tell the full story. Here's how to read the XML files and find the leaks.

First, Enable DMARC Reporting

Your DMARC record needs an rua= tag to receive aggregate reports. A proper monitored DMARC record looks like:

• rua= — the email address where XML reports land
• adkim=r; aspf=r; — relaxed alignment mode (recommended for most)
• fo=1 — generate a report when either SPF or DKIM fails (not just both)

What's Inside a DMARC XML Report

Each report contains rows like this, one per sending source. Here is what to look for:

• source_ip — the IP address of the sending server
• count — how many emails were sent from this IP
• header_from — the domain in the From header
• spf_result — pass, fail, or neutral
• dkim_result — pass, fail, or neutral
• disposition — what the receiving server did (none, quarantine, reject)

The key insight: find rows where spf_result is pass but dkim_result is fail (or vice versa). These are your authentication gaps.

How to Parse the Reports (Without Losing Your Mind)

You'll receive raw XML files by email. They're unreadable without processing. You have three options:

1. Manual: Download the XML, open it in a text editor, and read the raw data. Painful but possible for low volume.
2. AI-assisted: Paste the XML into ChatGPT/Claude and ask: "List all unique source IPs with their SPF result, DKIM result, and email count." Works surprisingly well.
3. Paid tools: DMARC monitoring services (dmarcian, Valimail, etc.) parse reports automatically and give you dashboards. These cost $20-200/month.

The Most Common Discovery

When we run DMARC diagnostics for clients, the #1 finding is: an unexpected third-party sender is failing authentication. Usually it's Shopify/Shopline sending transactional emails, or a forgotten integration (Zendesk, Intercom, review tools) sending under your domain without proper DKIM signing.

These "shadow senders" silently drag down your domain reputation because every unauthenticated email tells Gmail "this domain can't be trusted."

What You Do With This Information

Once you identify which senders are failing:

1. If it's your ESP (Klaviyo, SendGrid, etc.) → contact their support to fix DKIM alignment
2. If it's Shopify/Shopline transactional → configure custom sending domain or accept the gap
3. If it's a tool you forgot about → remove it or fix its DKIM signing
4. If it's unauthorized → someone is spoofing your domain. Move to p=reject