DMARC XML Report FAQ

What is a DMARC XML Report?

A DMARC XML report provides information about email traffic authentication results for a specific domain. It includes details on the DMARC policy applied, sender authentication results, and IP addresses sending mail on behalf of the domain.

What do the main tags in a DMARC XML report mean?

Here’s a breakdown of the main tags and their meanings in a DMARC XML report:

<report_metadata>

This section contains metadata about the report, including:

  • <org_name>: Organization that generated the report.
  • <email>: Contact email for the report's sender.
  • <report_id>: Unique ID for the report.
  • <date_range>: Time period covered by the report, with:
    • <begin>: Start timestamp.
    • <end>: End timestamp.

<policy_published>

This section details the DMARC policy applied by the domain owner:

  • <domain>: The domain with the DMARC policy.
  • <adkim>: DKIM alignment mode (r for relaxed, s for strict).
  • <aspf>: SPF alignment mode (r for relaxed, s for strict).
  • <p>: DMARC policy action (e.g., none, quarantine, reject).
  • <sp>: Subdomain policy, if specified (optional).
  • <pct>: Percentage of messages the policy is applied to.

<record>

This tag contains data for each IP address sending mail on behalf of the domain.

<row>

This sub-tag within <record> includes:

  • <source_ip>: IP address sending the emails.
  • <count>: Number of messages from this IP.
  • <policy_evaluated>: Outcome of DMARC evaluation with:
    • <disposition>: Action taken (e.g., none, quarantine, reject).
    • <dkim>: Result of DKIM alignment (pass or fail).
    • <spf>: Result of SPF alignment (pass or fail).

<identifiers>

This sub-tag holds identifiers for DKIM and SPF:

  • <header_from>: Domain from the "From" header.

<auth_results>

This section provides authentication results for DKIM and SPF:

  • <dkim>: DKIM authentication result.
    • <domain>: Domain from which DKIM was applied.
    • <result>: DKIM result (pass or fail).
    • <selector>: DKIM selector used.
  • <spf>: SPF authentication result.
    • <domain>: Domain from which SPF was applied.
    • <result>: SPF result (pass or fail).

How does this information help domain owners?

DMARC XML reports help domain owners understand who is sending mail on their behalf and verify that these messages are properly authenticated, helping to prevent phishing and unauthorized email use.