Reading Reports

Where the Data Comes From

Every receiving mail provider that supports DMARC (Google, Microsoft, Yahoo, and many others) sends a daily aggregate report to the rua address in your DMARC record. Each report covers roughly a 24-hour window and contains, per sending IP:

• Message volume from that IP
• SPF and DKIM raw authentication results
• SPF and DKIM alignment results against your From domain
• The DMARC disposition applied (none, quarantine, or reject)

Aggregate reports contain no message content and no recipient addresses - only authentication statistics. DMARCsimple collects, parses, and merges these reports into the dashboard automatically.

The Sending Sources View

The core of the dashboard is the sending source breakdown. DMARCsimple groups reported IPs into recognizable services so that instead of a wall of addresses you see entries like:

• Google Workspace - your corporate mail
• Mailchimp / SendGrid / similar - marketing and transactional platforms
• CRM and helpdesk tools - anything sending notifications as your domain
• Unknown sources - IPs that do not map to a known service

For each source you see message volume, SPF and DKIM pass rates, and overall DMARC pass rate. Sort by volume first: fixing your highest-volume failing source moves your compliance percentage the most.

Understanding Alignment Pass and Fail

DMARC does not just ask whether SPF or DKIM passed - it asks whether the passing identifier aligns with your visible From domain:

• SPF alignment: the Return-Path (envelope sender) domain must match the From domain
• DKIM alignment: the d= domain in the DKIM signature must match the From domain
• DMARC passes when at least one of the two passes and aligns - it does not require both

This explains a pattern you will see constantly: a third-party sender shows SPF pass but SPF alignment fail, because it uses its own bounce domain in the Return-Path. If you configured custom DKIM for that sender, DKIM aligns and DMARC still passes.

By default alignment is relaxed, so mail.example.com aligns with example.com. Strict alignment requires an exact match and is rarely needed.

Identifying Legitimate Senders

Work through your source list and confirm each one is something your organization actually uses. Legitimate sources typically:

• Map to a service you recognize (or that another department signed up for - ask around before assuming it is hostile)
• Send consistent volume on a predictable pattern
• Pass at least one of SPF or DKIM, even if alignment needs fixing

A legitimate source that fails alignment is a configuration task, not a threat: add it to SPF, enable custom DKIM, or both. Keep a running inventory - this list is the foundation for moving to enforcement later.

Spotting Spoofing and Abuse

Sources that fail both SPF and DKIM outright deserve scrutiny. Signs of spoofing or unauthorized use:

• IPs in networks with no relationship to your infrastructure or vendors, often in unexpected countries
• Zero percent authentication - no SPF pass, no DKIM signature at all
• Sudden volume spikes from a brand-new source
• Short bursts that disappear, then reappear from different IPs

Important nuance: some of this traffic is harmless forwarding (a recipient auto-forwarding to another mailbox often breaks SPF). Genuine spoofing tends to fail everything and come from unrelated networks. You cannot stop spoofers from trying, but at p=quarantine or p=reject their messages stop reaching inboxes.

Related Articles

• Getting Started with DMARCsimple
• DMARCsimple Initial Setup
• Policy Progression
• Troubleshooting
• DMARC Monitoring Explained
• All Help Articles