DMARC Reports Guide

Master DMARC reporting with Smarthost.MX. Understand your email authentication data, identify threats, and optimize your email security.

View DMARC Reports Understanding Reports Taking Action

DMARC Reports

Email security insights

DMARC Reporting Overview

DMARC Reporting Plan Requirement

DMARC reporting is available only on plans that include this feature. If you don't currently have access to DMARC reports and would like to monitor your domain's email authentication, you can upgrade your plan to include DMARC reporting capabilities.

Upgrade Plan

What Are DMARC Reports?

DMARC reports provide detailed insights into how your domain is being used for email authentication. They show you who is sending emails claiming to be from your domain and whether those emails pass authentication checks.

Why DMARC Reports Matter:
  • Security Monitoring: Identify unauthorized use of your domain
  • Authentication Analysis: See SPF and DKIM pass/fail rates
  • Delivery Optimization: Improve email deliverability scores
  • Brand Protection: Detect and prevent email spoofing
  • Compliance Verification: Ensure legitimate emails are properly authenticated
Open DMARC Reports
Report Types:
Aggregate Reports (RUA):

Daily summaries of authentication results

Report Frequency:

Daily collection, daily or weekly analysis

Setting Up DMARC Monitoring

Configure DMARC for Reporting

Step 1: Add Domain for Monitoring
  1. Log in to your Smarthost.MX Dashboard
  2. Navigate to the DMARC Reports Menu Item
  3. Click "Enable DMARC" button to enable globally
  4. Under "Available Domains" Click Add for each monitored domain
  5. Specify the Report Email Address (Defaults to Account Email)
  6. Specify Report Frequency - Daily or Weekly
Step 2: Configure DMARC Record

Add a DMARC TXT record to your DNS:

Name: _dmarc.yourdomain.com
Type: TXT
Value: v=DMARC1; p=quarantine; rua=mailto:[email protected]
Step 3: Wait for Data Collection
  • DNS propagation: 24-48 hours
  • First reports: 24-72 hours after DNS update
  • Full data visibility: 7-14 days
Multiple Email Addresses

You can include multiple reporting addresses:

v=DMARC1; p=none; rua=mailto:[email protected],mailto:[email protected]
Note: Weekly Reports will be sent on Monday mornings.

Understanding DMARC Report Data

Report Dashboard Components

Message Volume

Total emails claiming to be from your domain, broken down by source and authentication status.

Authentication Results

SPF and DKIM pass/fail rates, alignment status, and overall DMARC compliance.

Source Analysis

Breakdown of sending sources, including legitimate services and potential threats.

Reading Report Tables

DMARC Report Dashboard Example

Example of DMARC report data showing authentication results and source analysis

Key Columns Explained:
Source IP/Hostname: Server IP and Name (if available) that sent the email
Messages Count: Number of emails from this source
Header From: Source Domain from message header
SPF Result: Pass/Fail for SPF authentication
DKIM Result: Pass/Fail for DKIM signature
Disposition: Action taken (none/quarantine/reject)
Result Interpretation:
PASS Authentication successful - legitimate email
FAIL Authentication failed - investigate source
SOFTFAIL Partial failure - may need attention
NEUTRAL No authentication policy - normal for some sources
Focus on high-volume FAIL results first - these represent the biggest security risks.

Analyzing DMARC Results

Legitimate Traffic
Identifying Legitimate Sources:
  • Known Services: Your email platform, marketing tools
  • High DMARC Pass Rates: Sources with consistent authentication
  • Expected Volume: Traffic patterns matching your sending
  • Recognized IPs: Servers you control or authorized services
Common Legitimate Sources:
  • Smarthost.MX servers (should always pass)
  • Your website contact forms
  • Marketing automation platforms
  • CRM and helpdesk systems
  • Internal company servers
Suspicious Activity
Red Flags to Investigate:
  • Unknown IP Addresses: Servers you don't recognize
  • High Failure Rates: Sources consistently failing authentication
  • Unusual Volume: Unexpected spikes in email volume
  • Geographic Anomalies: Traffic from unexpected countries
Potential Threats:
  • Email spoofing attempts
  • Phishing campaigns using your domain
  • Compromised systems or accounts
  • Unauthorized third-party services
  • Business email compromise (BEC)
Investigation Process
Step-by-Step Investigation:
  1. IP Lookup: Use WHOIS to identify the server owner
  2. Volume Analysis: Check if traffic volume is reasonable
  3. Time Patterns: Look for unusual sending times
  4. Geographic Check: Verify if location makes sense
  5. Authentication Review: Understand why authentication failed
Investigation Tools:
  • WHOIS database lookups
  • IP reputation checkers
  • Geographic IP mapping
  • Historical data comparison
Trend Analysis
Monitoring Trends:
  • Authentication Rates: Are pass rates improving?
  • Volume Changes: Is email traffic growing as expected?
  • New Sources: Are new IPs appearing regularly?
  • Policy Impact: How do policy changes affect results?
Healthy Benchmarks:
DMARC Pass Rate: >95%
SPF Pass Rate: >90%
DKIM Pass Rate: >90%
Unknown Sources: <5%

Taking Action on DMARC Data

Immediate Actions

For Legitimate Sources Failing Authentication:
  1. Update SPF Record:
    • Add missing IP addresses or includes
    • Fix syntax errors in existing SPF
    • Ensure all authorized sources are covered
  2. Configure DKIM:
    • Set up DKIM signing for all services
    • Publish DKIM public keys in DNS
    • Verify DKIM signatures are working
  3. Service Configuration:
    • Contact service providers for authentication help
    • Review third-party service settings
    • Ensure From addresses match authentication
DNS Configuration Help

Need help setting up your DNS records correctly?

DNS Setup Guide Check Current Records
For Suspicious or Unauthorized Sources:
  1. Investigate the Source:
    • Determine if the traffic is malicious
    • Check if it's a misconfigured service
    • Verify if it's actually from your organization
  2. Document Findings:
    • Record suspicious IP addresses
    • Note volume and frequency patterns
    • Save evidence for potential reporting
  3. Consider Policy Changes:
    • Move from p=none to p=quarantine
    • Eventually implement p=reject
    • Monitor impact of policy changes

DMARC Policy Progression

1
Monitor Mode
p=none

Collect data without affecting email delivery. Recommended duration: 2-4 weeks maximum.

2
Quarantine Mode
p=quarantine

Failed emails go to spam folder. You can start with low percentage (by adding pct=25) and increase gradually.

3
Reject Mode
p=reject

Failed emails are blocked entirely. Only implement when 95%+ of legitimate emails pass.

Important: Never jump directly to p=reject. Gradual progression prevents accidentally blocking legitimate emails.
Verify Your DMARC Configuration

Before implementing policy changes, check your current DMARC record:

DNS Checker Tool DNS Checker Guide

Report Management

Email Report Delivery
Available Report Frequencies:
  • Daily Reports: Sent every morning with previous day's data
  • Weekly Reports: Comprehensive summary sent on Monday mornings
Report Configuration:
  • Set report frequency per domain (daily or weekly)
  • Specify email address for report delivery
  • Default email address is your account email
  • Configure from your DMARC Reports dashboard
Note: Reports are delivered automatically by email only. Configure your preferences in the dashboard.
Data Retention and Access
Dashboard Data Access:
  • 90-Day Retention: DMARC Reports dashboard shows up to 90 days of data
  • Real-time Access: View current and historical data online
  • Detailed Analysis: Drill down into specific time periods and sources
Long-term Data Preservation:
  • Save Email Reports: Keep important email reports for your records
  • Print Report Pages: Print dashboard pages for offline storage
  • Manual Documentation: Record key findings and actions taken
Important: Data older than 90 days is not available in the dashboard. Save important reports as they arrive.

DMARC Reporting Best Practices

Regular Monitoring
Monitoring Schedule:
  • Daily: Check for unusual activity and failures
  • Weekly: Review detailed reports and trends
  • Monthly: Analyze policy effectiveness and make adjustments
  • Quarterly: Comprehensive security review
Key Metrics to Track:
  • DMARC compliance percentage
  • Volume of legitimate vs. suspicious traffic
  • Number of unique sending sources
  • Geographic distribution of senders
Team Collaboration
Stakeholder Involvement:
  • IT Security: Monitor threats and policy enforcement
  • Email Admins: Manage authentication and delivery
  • Marketing: Ensure campaign deliverability
  • Executive Team: Understand brand protection status
Communication Strategy:
  • Regular security briefings
  • Incident response procedures
  • Policy change notifications
  • Training and awareness programs

Need Help with DMARC Reports?

Our team can help you interpret reports, investigate suspicious activity, and optimize your DMARC policy.

View Reports

Access your DMARC analytics

Open Reports
Setup Help

DNS configuration assistance

DNS Guide
Expert Support

Personal assistance from our team

Contact Support