Detailed explanation of individual DMARC report components and what they mean for your email security
When you click "View" on any report in your reports list, you'll see a detailed breakdown of that specific DMARC aggregate report. Understanding each section helps you make informed security decisions.
| Field | Description | Example | Significance |
|---|---|---|---|
| Report ID | Unique identifier for this report | 15714726821611789 | Reference for tracking and support |
| Organization | Entity that generated the report | google.com, outlook.com | Shows which email providers process your domain |
| Date Range | Time period covered by report | 2024-01-15 to 2024-01-16 | Usually 24-hour periods, helps with timing analysis |
| Domain | Your domain being reported on | example.com | Confirms which of your domains this report covers |
| Policy Applied | DMARC policy that was in effect | p=none, p=quarantine, p=reject | Shows what action was taken on failed emails |
Meaning: The sending IP address is authorized in your SPF record.
What it shows:
Meaning: The sending IP address is not authorized in your SPF record.
Possible causes:
Meaning: SPF record uses "~all" (soft fail) mechanism.
Action:
Meaning: SPF record doesn't specify authorization for this IP.
Action:
Meaning: Email signature was verified using your DKIM public key.
Indicates:
Meaning: DKIM signature verification failed.
Possible causes:
In the detailed report, you'll see DKIM selector information like "selector1._domainkey.yourdomain.com". This tells you which DKIM key was used for signing. Multiple selectors allow for key rotation and different sending sources.
DMARC requires either SPF or DKIM (or both) to be in "alignment" - meaning the authenticated domain matches the "From" header domain.
| Alignment Type | Relaxed Mode | Strict Mode | Example |
|---|---|---|---|
| SPF Alignment | Organizational domain match | Exact domain match required | mail.example.com → example.com (relaxed OK) |
| DKIM Alignment | Organizational domain match | Exact domain match required | newsletter.example.com → example.com (relaxed OK) |
Disposition shows what action the receiving email server took based on your DMARC policy and authentication results.
Action: No special action taken
Result: Email delivered normally
Policy: Usually p=none or authentication passed
Action: Email marked as suspicious
Result: Likely sent to spam folder
Policy: p=quarantine for failed emails
Action: Email completely blocked
Result: Email not delivered
Policy: p=reject for failed emails
The disposition may not always match your DMARC policy. Email providers can override your policy based on their own rules, reputation systems, or other factors. A p=none policy doesn't guarantee all emails will show "none" disposition.
Each report record includes detailed information about the sending source:
| Data Point | What It Shows | How to Use It |
|---|---|---|
| Source IP | The IP address that sent the email | Identify sending servers, trace origins |
| Message Count | Number of emails from this source | Understand volume patterns |
| PTR Record | Reverse DNS lookup of the IP | Verify legitimate sending domains |
| Country/Location | Geographic location of the IP | Identify unexpected sending locations |
Most of your email is properly authenticated and coming from legitimate sources.
Potential spoofing attack or new legitimate service not yet configured.
Email appearing to come from countries where you don't have operations.