You can set up Domain-based Message Authentication, Reporting, and Conformance (DMARC) to receive regular reports from email servers that get email from your domain.
Google recommends that you regularly monitor the daily DMARC reports that you get by email. Reviewing the information in the reports helps you understand what messages sent from your domain are passing SPF, DKIM, and DMARC authentication.
DMARC reports tell you:
- which servers or third-party senders are sending mail for your domain
- what percentage of messages from your domain pass DMARC
- which servers or services are sending messages that fail DMARC
- what actions the receiving server takes on unauthenticated messages from your domain: none, quarantine, or reject
- Who should use DMARC reports
- Create a dedicated group or mailbox for your reports
- Get help from a 3rd-party service (recommended)
- Reading DMARC reports
Who should use DMARC reports
Important: We recommend that you always use reports when you turn on DMARC for your domain.
Reports tell you which messages sent from your domain are authenticated by SPF and DKIM. Reports also let you regularly review who is sending mail on for your domain, and can alert you to potential spammers.
Review information in the DMARC reports to verify that messages from your domain are sent by authorized servers, and pass authentication checks. As you understand how receiving servers authenticate messages from your domain, consider changing your policy from none to quarantine or reject.
Create a dedicated group or mailbox for your reports
The number of DMARC reports you receive by email can vary, and depends on how much email your domain sends and how many domains you send to. Every mail server you send email to will send you a daily report. You can receive many reports every day. Large organizations might get up to hundreds or even thousands of reports daily.
We recommend creating a dedicated group or mailbox for your DMARC reports. If you get many daily reports, or if you need help reading and understanding reports, consider using a third-party service. Third-party DMARC services can receive, manage, and analyze your reports.
Send reports to an email address in a different domain
DMARC reports are sent to the email address you specify in your DMARC record with the rua tag. If the email address has a different domain than the domain where your DMARC record is hosted, you must add a DNS record at the other domain.
For example, if your DMARC record is hosted at your domain examplepetstore.com and the email address for reports is dmarc-reports@myownpersonaldomain.com, add a DNS TXT record at myownpersonaldomain.com, as shown below.
Replace these example domains with your own domains. For more help, refer to your domain host's documentation.
Field name | Value to enter |
Type | The record type is TXT. |
Host (Name, Hostname, or Alias) | examplepetstore.com._report._dmarc.myownpersonaldomain.com |
Value | v=DMARC1; |
Get help from a 3rd-party service (recommended)
Reports can be difficult to read and interpret in raw format. We recommend using a third-party service that specializes in DMARC to receive, store, and analyze your reports. Some Google Cloud partners offer support for DMARC, including managing and analyzing your DMARC reports. Find a Google Cloud partner that supports DMARC
- Depending on your mail volume, it’s possible to get many reports each day, up to hundreds. Several factors determine the number of reports you get, including: how many domains you send to, how much mail you send, and the reporting options specified in your DMARC policy record.
- Without a third-party service, you might need to create a dedicated Group or mailbox to receive and store the reports.
- Third-party services can combine individual reports.
- Third-party services can analyze aggregated reports, and provide feedback to you about how effective your DMARC record is.
Reading DMARC reports
DMARC reports are usually sent once a day by email. They're sent to the email addresses you specify when you prepare your DMARC record. If reports are turned on with the rua DMARC record tag in your DMARC record, every server that receives mail from your domain sends a report.
Raw reports are in XML format, and include report metadata and one or more records. The important information in the reports is whether messages from your domain pass DMARC.
Each record summarizes:
- the number of messages sent from a single IP address for the report time period
- the SPF, DKIM, and DMARC authentication results for the messages
- any actions taken by the receiving server, for example accepting unauthenticated messages because they passed ARC authentication
Look for any problem trends, such as:
- if recipients get valid messages from you, but they’re in the spam folder
- if you’re getting bounce or error messages from recipients
Note: To fix problems with messages from your domain being rejected or sent to spam, go to Troubleshoot DMARC issues.
Example DMARC report in raw XML format
Here's an example of a report with one record that shows the results for 2 email messages. To read XML records, convert the report to a readable format, for example:
- Convert the records to a tabular format by adding them to a relational database
- Convert the XML to HTML by applying an XSL style sheet
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
<report_metadata>
<org_name>example.com</org_name>
<email>[email protected]</email>
<extra_contact_info>http://example.com/dmarc/support</extra_contact_info>
<report_id>9391651994964116463</report_id>
<date_range>
<begin>1335571200</begin>
<end>1335657599</end>
</date_range>
</report_metadata>
<policy_published>
<domain>bix-business.com</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>none</p>
<sp>none</sp>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>203.0.113.209</source_ip>
<count>2</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>bix-business.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>bix-business.com</domain>
<result>fail</result>
<human_result></human_result>
</dkim>
<spf>
<domain>bix-business.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
</feedback>
Example DMARC report in tabular format
Here's an example of a report with two records in tabular format. This report has been converted from XML format to a tabular format.