How to understand DMARC reports

I decided it was about time that I sat down and tried to understand these reports, and I think that I now have a better understanding of the reports.

Below, is the current published DMARC record for one of my domains. The record that I originally had (and which had generated this DMARC report) was to provide an aggregate (rua) report, but I have now changed it to provide only a failure (ruf) report:

v=DMARC1; p=reject; ruf=mailto:[email protected]; adkim=r; aspf=r;

Note, that I have used ‘example.com’ as the domain, instead of my actual domain name.

As for the received DMARC report (in XML format) – that was generated based on my original DMARC record – this is broken down into sections, with a real received example of a RUA (Aggregate) report:

Above is the first section of the report, it contains information about the ISP (here it’s kddi.com), their email address, etc.

Next up, it’s the report ID:

Followed by the date range:

Use https://timestamp.online/ to convert this: For example:

1731881931 = 17/11/2024, 22:18:51

1731904700 = 18/11/2024, 04:38:20

Next is policy published:

Next is the source (as an IP address) of the sender and how many attempts:

A check of the IP address shows the location of the sender as ‘Lagos, Lagos, Nigeria’.

Next is policy evaluated:

This says rejected – DKIM and SPF both failed.

Next, the domain that was the sender:

And finally, the auth results:

This says that both DKIM and SPF have failed, therefore the email was rejected.

As I did not send the email in question myself, the DMARC record has done it’s job and rejected the email as not being legitimate – success!

I don’t have any recent DMARC failure reports (in TXT format) to compare with the above aggregate report, but I may update this post when one becomes available.

Finally: Just to say, this is not an expert definitive analysis, but just my rudimentary understanding!