Last February, I told you about the implementation of DMARC. In this second article, we will see what is behind a DMARC report through some questions. The aim of this series of articles is to help you - if you haven't already done so - to better protect your domain names with DMARC!

DMARC in three bullet points...

I'll make it short and simple: "DMARC" is an e-mail authentication standard that will rely on SPF & DKIM records. It will allow any advertiser who implements it to :

  • Enforce SPF & DKIM limitations by applying a security rule in case of SPF & DKIM failure on the sending domain.
  • Limit spam and phishing on your entire infrastructure (main domain & subdomains) thanks to reports provided by various organizations.
  • Make all e-mail flows compliant to improve their legitimacy.

The only constraint of DMARC today is that all the organizations (Fai, Webmails, Anti-Spam Filters, etc.) do not interpret it!

A DMARC report... What is it?

First of all, to receive DMARC reports, you will have to configure an e-mail address in the "rua" tag.

v=DMARC1; p=none;,,;

Note: If you want to receive all the reports, you will have to choose an e-mail address of your sending domain (e.g. for the domain name Otherwise, you will need to create a DMARC record (v=DMARC1;) on the domain external to your sending domain.

Once DMARC is in place, you will receive (depending on your settings), the activity results recorded on your sender domain. By this I mean the authentication results of your email campaigns but also third party activities - both legitimate and malicious.

This DMARC report is sent in ARF format (see attached). The file will be zipped and will contain the report in XML format.

DMARC report received from Google
DMARC report received from Google

Who sends these DMARC reports?

As I said before, the reports are sent by any organization that knows how to interpret DMARC and is able to send these famous reports.

Here is a list (not exhaustive) of the organizations for which we have received a report since January 1, 2021 (on 2 monitored domains):

OrganizationOrganizationZip format
BNP ParibasBank.GZ
Caisse des DépôtsFinance.GZ
Casino GroupDistribution.GZ
La PosteWebmail.GZ
OC3 NetworkHost.GZ
Listing of organizations sending DMARC reports

As you can see, the panel of companies is large and this is only a small proportion of what there may be as an organization returning DMARC-related information.

A DMARC report from the inside!!!

It's all very well to give you a lot of information about DMARC but I forgot the main thing... What information can be found in these famous reports ???

I'm going to break down a DMARC report we received from Gmail:

Structure of a report

A DMARC report is a file XML. You will find in this metadata all the authentication information related to your sender domain (and subdomains if it is placed on the root domain). This file is divided into 3 main sections:

  • report_metadata" tag
  • policy_published" tag
  • Record" tag.

The "record" tag is the most important since it will contain all the authentication results. 1 record = 1 result, so the more records you have in your file, the more authentication results you will have to analyze! If you are a big sender, I strongly advise you to use a DMARC monitoring solution.

*spoil* >> I'm planning several articles in June about different solutions... But shhhh!

The "report_metadata" tag

Content of the report_metadata tag of a DMARC report
Content of the report_metadata tag of a DMARC report

In this first section, you will find all the information related to the DMARC report:

  • : The organization that provides the DMARC report.
  • : The email address that sends the DMARC report.
  • : A link to the support page on DMARC.
  • : The ID of the DMARC report.
  • : The analysis period of the report. In our example (once transformed), the analysis period is from 11/01/2021 00:00 to 11/01/2021 23:59 GMT.

The "policy_published" tag

Content of the policy tag in a DMARC report
Content of the policy tag in a DMARC report

In this second section, you will find all the information related to your DMARC policy:

  • : Indicates the name of the domain (or subdomain) where DMARC is placed.
  • : Indicates DKIM alignment => "r" (relaxed=soft) & "s" (strict=strict).
  • : Indicates SPF alignment => "r" (relaxed=soft) & "s" (strict=strict).
  • <p> Indicates the DMARC policy of the domain where "p" is set =&gt; "none" (i.e. no action), "quarantine" (i.e. put in spam), reject (i.e. e-mail blocked).
  • : Indicates the DMARC policy of the subdomains of the domain where "p" is set => "none" (cf. no action), "quarantine" (cf. put in spam), reject (cf. blocked email).
  • : Specifies the percentage of emails on which the DMARC rule should apply.

The "record" tag

Content of a record tag in a DMARC report
Content of a record tag in a DMARC report

In this third section, you will find all the information related to the authentication results. This section is divided into three sub-sections:

    • : Indicates the IP that was used to send the email.
    • : Indicates the number of emails received with this IP.
      • : Indicates the DMARC policy.
      • : Indicates the authentication result for DKIM.
      • : Indicates the authentication result for SPF.
    • : Indicates the domain that is used in the sending address.
      • : Indicates the domain signed with DKIM.
      • : Indicates the DKIM authentication result.
      • : Indicates the selector for the DKIM key.
      • : Indicates the domain signed with SPF.
      • : Indicates the SPF authentication result.

Note: It is possible (as in the example) that a sending domain has multiple DKIM keys. Note that all DKIM keys will then be parsed in the subsection.


That's it, the appetizer is over. The objective here was really to show you the inside of a DMARC report (done) before diving directly into the heart of DMARC, namely the data analysis.

So, we will see in the next article how to interpret DMARC report data! You'll see, it's super exciting... Or not 😉

Need help deploying DMARC? Find the most suitable DMARC monitoring solution? Monitor your DMARC data? Do not hesitate to contact us...


Our latest content on DMARC :

And on other email authentication systems:


The author

2 réponses

  1. Hello, it's very interesting but could you explain if in an xml file received the record could indicate that a person (identifiable by his IP) has simply requested an online form that uses the MAIL function (php for example) or the SMTP parameters of our server?

  2. Hello Alex,
    DMARC reports only contain data from domains/subdomains where the DMARC record is placed, regardless of the system used to send the emails (outlook client, an Email Service Provider, an online form, etc.). Unfortunately, the IP you would retrieve is the IP of the form (not the IP of the person) provided that your domain/subdomain is set to the said form. If you want to retrieve the person's IP, you would have to record the information at the time they submit the form.
    Kind regards,

Laisser un commentaire

Your email address will not be published. Les champs obligatoires sont indiqués avec *