DMARCsimple logo by CCMS

DMARC Troubleshooting – How to Read Aggregate Reports

Learn how to interpret DMARC aggregate (RUA) reports, distinguish legitimate from unauthorized sources and prioritize fixes so you can move safely toward enforcement.

What DMARC aggregate reports really tell you

DMARC aggregate reports are XML documents that email receivers send to your designated reporting address. Each report summarizes how messages claiming to be from your domain behaved over a period of time: which IPs sent them, which providers handled them and whether SPF, DKIM and DMARC checks passed or failed.

Instead of looking at individual messages, aggregate reports group similar traffic into records that describe many messages at once. This makes it easier to spot patterns and trends when viewed in a tool like DMARCsimple, rather than trying to read raw XML by hand.

SPF, DKIM and alignment in context

A common point of confusion is that SPF or DKIM results displayed in DMARC reports are evaluated within the rules of DMARC alignment. In other words, it isn't enough for SPF or DKIM to simply pass—they must also align with the domain in the From: header.

  • SPF pass, but not aligned: The sending IP is authorized, but the envelope Mail-From domain does not match the From: domain.
  • DKIM pass, but not aligned: A valid DKIM signature exists, but the signing domain is different from the From: domain.
  • Aligned pass: SPF or DKIM passes and the evaluated domain matches (or is an allowed subdomain of) the From: domain.

DMARCsimple helps make these distinctions clear so you can see the underlying cause when a source appears to fail DMARC.

Distinguishing legitimate from unauthorized sources

When you first enable DMARC and begin receiving reports, you may discover more sending sources than you expected. Some of these will be legitimate services that were never fully documented; others may be misconfigurations or unauthorized use.

In DMARCsimple, you can group and review sources based on provider, IP ranges and behavior over time:

  • Likely legitimate: Consistent volume, hosted by a reputable provider, occasionally passes SPF or DKIM, and matches known business workflows.
  • Likely unauthorized: Low or bursty volume, unknown IP space, no DKIM, consistent SPF failures and no clear business justification.

Common patterns you'll see in reports

  • Marketing platforms signing with their own domain: DKIM passes but does not align until you configure a custom domain.
  • Transactional services using a different return-path domain: SPF can pass while failing alignment if the envelope domain differs from the visible From: domain.
  • Legacy systems sending as your domain without DKIM: SPF may or may not be correctly configured, but lack of DKIM makes the source fragile.
  • Suspicious bursts from unexpected IP ranges: These often represent unauthorized or compromised systems and should be investigated promptly.

A practical troubleshooting workflow

When you see DKIM or SPF failures in DMARCsimple, work systematically:

  1. Identify the source: Which provider or system appears to own the IP space?
  2. Check SPF: Is the IP explicitly or indirectly authorized? Are you near or over lookup limits?
  3. Check DKIM: Is there a DKIM signature present, and if so, which domain is signing?
  4. Assess alignment: Does either SPF or DKIM align with the From: domain?
  5. Decide on an action: Configure SPF/DKIM, adjust domains for alignment or block/retire the source.

Prioritizing what to fix first

Not all failures are equally urgent. For a smooth path to enforcement, we recommend focusing on changes in this order:

  • High-volume legitimate sources: Fix these first to stabilize most of your traffic.
  • Reputable providers with intermittent failures: Address configuration drift or partial rollouts.
  • Unknown or suspicious sources: Investigate and block as necessary to reduce abuse.
  • Low-volume edge cases: Tidy up remaining issues before moving to a reject policy.

From troubleshooting to enforcement

As your DMARC aggregate reports show more aligned, passing traffic from known sources, you can begin to tighten your DMARC policy with greater confidence. DMARCsimple helps you track this progress and document the decisions you make along the way.

Over time, regular review of DMARC reports becomes part of your normal security and operations rhythm, rather than a one-off project. That ongoing attention is a key part of keeping spoofing risk low as your organization evolves.

Related resources

Need help reading your reports?

If you're seeing confusing patterns in your DMARC data, we can help review your reports, identify priorities and outline next steps toward a safe enforcement strategy.

Contact DMARCsimple