You set up DMARC, then your inbox starts filling with XML attachments from Google, Microsoft, and Yahoo. Now you’re asking the right question: what’s the difference between a DMARC report and DMARC itself?
Here’s the short version. DMARC is the policy you publish in DNS. A DMARC report is the feedback mailbox providers send back after they evaluate mail using your domain. One is the rule. The other is the evidence.
If you’re still setting up business email, start with create email with your domain. If mail already works but forwarding keeps breaking authentication, read forward domain email to Gmail. This guide is for the moment after setup, when you need to read a DMARC report without getting buried in XML.
The pain is predictable. You publish a DMARC record, wait a day, and then a DMARC report lands in your inbox looking like a corrupted backup file. Most articles make this worse by mixing up the record, the policy, the report address, and the failure data. That’s how people end up changing the wrong DNS record and breaking real mail.
This guide fixes that fast. You’ll see what a DMARC report is, how it differs from your DMARC record, what fields matter, and when a failure is a real problem versus normal forwarding noise.
What is a DMARC report?
A DMARC report is a feedback file sent by receiving mail systems to the address in your DMARC policy. It summarizes how messages using your domain performed against SPF, DKIM, alignment, and the DMARC policy you published.
A DMARC report is not the policy itself. It’s the output. Mail providers read your DMARC DNS record, evaluate mail using your domain in the From header, and then send summary data to the mailbox listed in the rua tag. RFC 7489 defines these as aggregate feedback reports and says they exist to help domain owners understand authentication results, needed corrective action, and policy impact.
DMARC report vs DMARC record
DMARC is the DNS instruction set. A DMARC report is the telemetry generated after receivers apply those instructions to real mail traffic.
| Item | What it is | Where it lives | What it does |
|---|---|---|---|
| DMARC record | TXT record at _dmarc.yourdomain.com | Your DNS | Tells receivers your policy, alignment mode, and report destinations |
| DMARC report | Usually an XML aggregate report | Your reporting mailbox or analyzer | Shows who sent mail, which auth checks passed, and what receivers did |
| DMARC policy | p=none, quarantine, or reject | Inside the DMARC record | Controls requested enforcement for messages that fail DMARC |
| RUA address | Reporting destination such as rua=mailto:dmarc@example.com | Inside the DMARC record | Tells providers where to send each DMARC report |
This distinction matters because the fix depends on which side is wrong. If your record is wrong, receivers evaluate mail incorrectly. If the record is fine but the DMARC report shows failures, the problem is usually an unauthorized sender, a forwarding path, or broken alignment in a tool you already use.
What’s inside a DMARC report?
A DMARC report groups messages by source IP and authentication outcome. The useful fields are sender IP, message count, SPF result, DKIM result, alignment status, and the action the receiver applied.
A raw DMARC report is XML. Ugly, but usable once you know where to look. The report should include the policy applied, message disposition, the SPF identifier and result, the DKIM identifier and result, and whether either identifier aligned with the visible From domain. That’s the part most admins care about, because DMARC passes when SPF or DKIM passes and aligns.
Common beginner mistake: seeing one SPF fail in a DMARC report and assuming all mail is broken. That is wrong. If DKIM passed and aligned, DMARC still passed.
Read a DMARC report in this order:
- Check the source IP and the reporting organization.
- Check message volume. One message and 20,000 messages are different problems.
- Check disposition: none, quarantine, or reject.
- Check SPF and DKIM together, not in isolation.
- Check alignment against the From domain you actually send from.
Aggregate reports vs forensic reports
Most of the time, when people say DMARC report, they mean an aggregate report sent via the rua tag. Failure or forensic reports use ruf, show per-message failures, and are less widely sent.
| Report type | Tag | Format | Best use | Reality in 2025-2026 |
|---|---|---|---|---|
| Aggregate | rua | XML summary | Daily monitoring, sender inventory, rollout decisions | This is the aggregate report you will actually receive and use |
| Forensic | ruf | Per-message failure samples | Debugging specific failures | Inconsistent support, privacy limits, often sparse |
If you only set one reporting destination, make it rua. That gives you the usable signal without turning your mailbox into a mess. Google’s sender guidelines make the broader point: failing authentication can affect whether mail gets rejected, sent to spam, or delivered as expected. That makes the aggregate DMARC report operationally useful, not just interesting.
How to publish a DMARC record that sends a DMARC report
You publish DMARC as a TXT record under _dmarc. Add a policy, add a reporting address, and start with monitoring before you move to stricter enforcement.
Here’s a safe starting point:
_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com; adkim=s; aspf=s; pct=100"And here’s a stricter version once you’ve verified every sender in your DMARC report:
_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; adkim=s; aspf=s; pct=100"Later, if the DMARC report stays clean, move to reject. Don’t jump there blind.
You can verify the record with a quick lookup:
dig TXT _dmarc.example.com +shortIf you’re setting up TrekMail, the DNS side is straightforward. The domain wizard shows the required MX, SPF, DKIM, and DMARC records, and the live status checker flags missing or conflicting entries in the dashboard. The reference docs for adding a domain and emails going to spam are the right follow-ups if your authentication isn’t green yet.
How to read a DMARC report without overreacting
A DMARC report is useful when you separate expected failures from dangerous ones. Forwarding noise is normal. Unknown infrastructure pretending to be you is not.
| What the DMARC report shows | Likely cause | What to do |
|---|---|---|
| SPF fail, DKIM pass, DMARC pass | Forwarding, mailing list, or relay path | Usually ignore it if DKIM aligns |
| SPF fail, DKIM fail, DMARC fail from your vendor IP | Vendor not authorized or signing wrong domain | Fix SPF include, DKIM signing, or custom return-path setup |
| Both fail from random foreign IPs | Spoofing attempt | Do not authorize the IP; keep tightening policy |
| High-volume fail from your own app server | Shadow sender or forgotten SMTP path | Inventory the sender and bring it into compliance |
This is where a DMARC report becomes operational, not academic. It tells you which sender broke, how often it broke, and whether the receiver merely observed it or acted on it.
Why forwarding creates confusing DMARC report data
Forwarding breaks SPF because the forwarder’s server connects to the next hop, not the original sender’s server. That creates DMARC report rows that look scary even when the original message was legitimate.
If your DMARC report shows consumer mailbox providers or old ISP relays failing SPF, don’t rush to add those IPs to your SPF record. That would be reckless. SPF was never built to survive plain forwarding cleanly. The real control here is DKIM, because the DKIM signature stays with the message as it moves between hops unless the message gets modified enough to break it.
That’s why forwarding guidance matters. If you forward mail to Gmail or Outlook without SRS and clean DKIM handling, you create exactly the kind of noisy DMARC report that wastes hours. The practical breakdown is in email forwarding setup and fixes.
When a DMARC report means you need to change DNS
A DMARC report justifies DNS changes when it reveals a legitimate sender failing authentication or alignment. Don’t edit DNS until you know which sender is responsible and whether the failure is real.
Make changes only in these cases:
- Your paid email vendor is sending from your domain but missing from SPF.
- Your vendor signs DKIM with their domain instead of yours, so alignment fails.
- Your app or server is using an old SMTP path that no longer matches your DNS.
- Your DMARC record has no
ruadestination, bad syntax, or the wrong policy stage.
Do not change DNS because one DMARC report shows a Gmail or Outlook forwarding IP failing SPF. That’s a trap.
If you’re using TrekMail, this is where the platform is easier than patching records by memory. The old way is juggling registrar tabs, XML inboxes, and five third-party senders with no inventory. The new way is one dashboard for domains, DNS health, mailboxes, migration, and either your own SMTP or TrekMail’s managed SMTP. For teams that run many brands or client domains, that removes a lot of dumb failure modes. See the docs for IMAP and SMTP settings if you’re validating the actual sending path, or the broader operating model in multi domain email hosting.
Should you read every DMARC report manually?
Small domains can review a DMARC report manually for a while. Larger setups need a parser or at least a dedicated mailbox, because raw XML becomes noise fast.
For one domain with a couple of senders, opening the daily DMARC report by hand is fine during rollout. For ten domains, it gets annoying. For fifty, it turns into operational debt. At that point you either feed the reports into a parser or standardize your sending so the report becomes boring. Boring is good.
A clean aggregate report usually means the same few things every day: your approved sender IPs pass, your DKIM aligns, forwarding noise shows up in small volumes, and spoofing attempts get quarantined or rejected under policy.
Best-practice DMARC report workflow
The right workflow is simple: publish, observe, inventory senders, fix alignment, then tighten policy. A DMARC report supports each stage, but only if you treat it as evidence instead of panic fuel.
- Publish DMARC at
p=nonewith a dedicated reporting mailbox. - Wait at least several days so each receiver has time to send a DMARC report.
- Group every failing source into one of three buckets: legit sender, forwarding artifact, spoofing.
- Fix legit senders first. Ignore forwarding artifacts when DKIM alignment is intact.
- Move to
quarantine, thenrejectafter your DMARC report stays clean.
This is also why sender setup discipline matters. If you keep adding tools without updating SPF, DKIM, and return-path alignment, your DMARC report will keep telling on you.
TrekMail angle: less DNS drift, fewer surprises
TrekMail doesn’t replace DMARC, but it does reduce the mess around it. You still publish the record. You just spend less time chasing inconsistent sending paths across multiple domains.
For solo operators, TrekMail gives you custom domains, IMAP mailboxes, catch-all, mailbox forwarding, built-in IMAP migration, and either BYO SMTP or included SMTP on paid plans. For agencies and MSPs, the bigger win is bulk control: flat-rate multi-domain hosting, pooled storage, and one place to standardize DNS and sender setup across client fleets.
The old way is per-user mailbox fees, random forwarding rules, and no sender inventory. The new way is a single platform with DNS guidance, migration tooling, and clear plan boundaries. Paid plans start at $3.50 per month, the Nano plan stays free with no card required, and paid plans can be tested with a 14-day free trial. If that operating model fits, check TrekMail pricing.
Bottom line on the DMARC report
A DMARC report is the feedback loop for your DMARC policy. It doesn’t replace DNS. It tells you whether your DNS and your actual sending behavior match.
If you remember one thing, make it this: DMARC is the policy record in DNS, while the DMARC report is the evidence you use to fix sender drift, spot spoofing, and decide when to enforce quarantine or reject. Treat the DMARC report as an operating signal, not inbox clutter, and your deliverability gets a lot easier to control.
