DMARC Reporting

Available on: Pro Elite

1. What This Feature Does

DMARC Reporting configures DMARC policies for your domains and collects aggregate reports from email receivers. CertaDNS generates a DMARC DNS record for your domain, receives DMARC reports via a dedicated email address, parses them, and displays authentication pass/fail statistics. You can view per-sender breakdowns, pass rates, and identify sources of email authentication failures.

Each DMARC configuration creates a _dmarc TXT record that specifies your email authentication policy (none, quarantine, or reject), alignment modes for SPF and DKIM, and the email address where aggregate reports should be sent. The system automatically collects these reports, extracts data from XML attachments, and computes alignment statistics. Individual records show which IP addresses are sending mail on behalf of your domain and whether those messages pass SPF and DKIM checks.

2. When You Should Use It

• You want to monitor which servers are sending email using your domain name and whether those emails are authenticating correctly.
• You need visibility into SPF and DKIM authentication results before enforcing a strict DMARC policy.
• You are preparing to move from a monitoring-only policy (p=none) to quarantine or reject and need data to identify legitimate senders.
• You want to detect unauthorized use of your domain in email headers (spoofing or phishing attempts).
• You need centralized reporting across multiple email receivers (Gmail, Outlook, Yahoo, etc.) in a single dashboard.

3. When You Should Not Use It

• No email sending: If your domain does not send email and you have no legitimate mail servers, DMARC reporting will show zero activity. Use a reject policy without monitoring instead.
• SPF and DKIM not configured: DMARC relies on SPF and DKIM. If neither is configured, all messages will fail alignment. Configure SPF Flattening and DKIM Key Management first.
• Free or Plus plan: DMARC Reporting requires Pro or Elite. For lower-tier plans, configure DMARC manually via DNS Record Management and collect reports externally.
• Real-time alerting: DMARC aggregate reports are delivered in batches (typically every 24 hours). For immediate failure notifications, use forensic reports (RUF) sent to your own email address.

4. Prerequisites

• A Pro or Elite plan.
• A managed DNS zone where the DMARC configuration will be created. The zone must be imported and verified.
• SPF and DKIM records should already be configured for the domain. DMARC validates alignment between these mechanisms and the From header.
• Access to the Email Auth section in the dashboard.

5. How It Works (Brief)

When you create a DMARC configuration, CertaDNS generates a _dmarc.{zone} TXT record containing your policy, alignment modes, and the reporting email address. If auto-publish is enabled, this record is written directly to your PowerDNS zone with a TTL of 3600 seconds.

The reporting email address follows the format dmarc+{zone-with-dashes}@reports.certadns.com. For example, example.com becomes dmarc+example-com@reports.certadns.com. Email receivers (Gmail, Outlook, Yahoo, etc.) send aggregate reports to this address every 24 hours (or at their configured interval).

An IMAP receiver cron job runs every 15 minutes. It connects to the CertaDNS mail server, searches for unread messages, extracts the zone name from the recipient address, verifies the zone exists, and processes XML attachments (plain, gzip-compressed, or zip-compressed). Each report contains metadata (organization name, report ID, date range) and individual records showing source IPs, message counts, SPF and DKIM results, and disposition. The system computes alignment based on your configured modes (relaxed or strict) and stores summary statistics and individual records.

You can view these statistics in the Email Auth dashboard, filtered by zone and date range (1-90 days). The dashboard displays total messages, passed/failed counts, pass rate percentage, and top sending IPs with their individual pass rates.

6. How to Use It

Creating a DMARC configuration

1. Navigate to Dashboard > Email Auth > DMARC.
2. Select a zone from the dropdown. Only zones you own and have verified appear in the list.
3. Click Create DMARC Configuration.
4. In the configuration form:
   • Policy (p): Select none (monitor only), quarantine (mark suspicious), or reject (block). Start with none if you are unsure.
   • Subdomain Policy (sp): Optionally set a different policy for subdomains. If left empty, subdomains inherit the main policy.
   • Percentage (pct): Apply the policy to a percentage of messages (1-100). Default is 100. Use a lower percentage for gradual rollout.
   • Use CertaDNS RUA: Check this box to receive aggregate reports at the auto-generated CertaDNS email address. This is required for dashboard statistics.
   • Forensic Reports (RUF): Optionally enter an email address to receive forensic reports (message samples on failure). Leave blank if not needed.
   • SPF Alignment Mode (aspf): r (relaxed, allows subdomain match) or s (strict, requires exact domain match). Default: r.
   • DKIM Alignment Mode (adkim): r (relaxed) or s (strict). Default: r.
   • Auto-publish: Check this box to automatically publish the _dmarc record to your DNS zone. If unchecked, you must add the record manually.
5. Click Save Configuration.
6. The generated DMARC record appears below the form. If auto-publish is enabled, the record is added to your zone within one hour.

Viewing DMARC statistics

1. Navigate to Dashboard > Email Auth > DMARC > Statistics.
2. Select a zone from the dropdown.
3. Select a time period (7, 30, or 90 days). Default is 30 days.
4. The statistics overview displays:
   • Total messages processed
   • Passed count (green, messages that passed DMARC alignment)
   • Failed count (red, messages that failed alignment)
   • Pass rate percentage with color coding (green if ≥90%, yellow if ≥70%, red if <70%)
   • Pass rate progress bar
5. Below the summary, view the Top 5 Sending IPs table showing:
   • Source IP address
   • Message count
   • Pass rate percentage

Viewing individual reports

1. Navigate to Dashboard > Email Auth > DMARC > Reports.
2. Select a zone and date range.
3. The report list displays up to 100 most recent reports with:
   • Organization name (the email receiver that sent the report)
   • Date range (begin and end timestamps)
   • Total message count
   • Passed count
   • Failed count
   • Computed pass rate
4. Click a report to view detailed records showing each source IP, message count, disposition, SPF result, DKIM result, and alignment flags.

Uploading a report manually

1. Navigate to Dashboard > Email Auth > DMARC > Upload.
2. Select the zone this report belongs to.
3. Click Choose File and select an XML, .gz, or .zip file containing a DMARC aggregate report.
4. Click Upload.
5. The system parses the file and displays a summary of total, passed, and failed messages.
6. The uploaded report appears in the report list and contributes to statistics.

Updating a DMARC configuration

1. Navigate to Dashboard > Email Auth > DMARC.
2. Select the zone with the existing configuration.
3. Click Edit Configuration.
4. Modify any fields (policy, percentage, alignment modes, etc.).
5. Click Save Configuration.
6. The DMARC record is regenerated. If auto-publish is enabled, the DNS record updates within one hour.

Deleting a DMARC configuration

1. Navigate to Dashboard > Email Auth > DMARC.
2. Select the zone with the configuration you want to delete.
3. Click Delete Configuration.
4. Confirm the deletion.
5. The configuration is removed. If auto-publish was enabled, the _dmarc DNS record is not automatically deleted; remove it manually via DNS Record Management.

7. Inputs and Settings

Field	Description	Constraints
Zone	The domain for which the DMARC policy applies. Must be a managed zone you own.	Required. One DMARC configuration per zone per user.
Policy (p)	Action receivers should take for messages that fail DMARC. Options: none (monitor only, no action), quarantine (mark as spam), reject (block delivery).	Required. Default: none.
Subdomain Policy (sp)	Policy for subdomains. If omitted, subdomains inherit the main policy.	Optional. Same values as policy.
Percentage (pct)	Percentage of failing messages to which the policy applies. Use for gradual enforcement.	1-100. Default: 100.
Use CertaDNS RUA	If enabled, aggregate reports are sent to the auto-generated CertaDNS email address (dmarc+{zone}@reports.certadns.com). Required for dashboard statistics.	Boolean. Recommended: enabled.
Forensic Email (RUF)	Email address to receive forensic reports (message samples on authentication failure).	Optional. Must be a valid email address.
SPF Alignment (aspf)	SPF alignment mode. r (relaxed): organizational domain match allowed. s (strict): exact domain match required.	Default: r.
DKIM Alignment (adkim)	DKIM alignment mode. r (relaxed): organizational domain match allowed. s (strict): exact domain match required.	Default: r.
Auto-publish	If enabled, CertaDNS publishes the _dmarc TXT record to your DNS zone automatically.	Boolean. Recommended: enabled.

Generated DMARC record structure

The system generates a TXT record at _dmarc.{zone} with content:

v=DMARC1; p={policy}; [sp={subdomain_policy}]; [pct={percentage}]; rua=mailto:{rua_email}; [ruf=mailto:{ruf_email}]; [aspf={aspf}]; [adkim={adkim}]; [fo={fo}]; [ri={ri}]

Tags in square brackets are optional and only included if configured. Default values:

• v=DMARC1 (always first, version identifier)
• p=none (policy, if not specified)
• pct=100 (percentage, if not specified)
• aspf=r (SPF alignment, if not specified)
• adkim=r (DKIM alignment, if not specified)
• ri=86400 (report interval in seconds, 24 hours, if not specified)
• fo=0 (failure options, if not specified)

8. Outputs and Results

Statistics summary

Metric	Description
Total Messages	Sum of message counts from all reports in the selected period.
Passed	Count of messages where DKIM or SPF aligned with the From header domain.
Failed	Count of messages where neither DKIM nor SPF aligned.
Pass Rate	Percentage calculated as (Passed / Total) * 100. Color-coded: green ≥90%, yellow ≥70%, red <70%.
Report Count	Total number of aggregate reports received in the period.

Top senders table

Shows the top 10 source IPs by message count. Each row contains:

Column	Description
Source IP	The IP address that sent messages on behalf of your domain.
Message Count	Total messages from this IP in the selected period.
Pass Rate	Percentage of messages from this IP that passed alignment.

Report list

The report list endpoint returns up to 100 most recent reports. Each report includes:

Field	Description
Organization Name	The email receiver that generated the report (e.g., google.com, outlook.com).
Report ID	Unique identifier assigned by the reporting organization.
Date Range	Begin and end timestamps for the reporting period (typically 24 hours).
Total Count	Total messages covered by this report.
Passed Count	Messages that passed DMARC alignment.
Failed Count	Messages that failed alignment.
Pass Rate	Computed as (Passed / Total) * 100.

Individual report detail

When viewing a specific report, the detail view shows:

• Report metadata (organization, report ID, date range, policy applied)
• Parsed policy from the report (domain, alignment modes, policy, percentage)
• Individual records (up to thousands per report), each containing:
  • Source IP address
  • Message count from this source
  • Disposition (none, quarantine, reject)
  • DKIM result (pass, fail, none)
  • SPF result (pass, fail, none)
  • DKIM domain (domain used in DKIM signature)
  • SPF domain (domain used in SPF check)
  • DKIM aligned flag (true if DKIM passed and domain matches From header)
  • SPF aligned flag (true if SPF passed and domain matches From header)

API response example

Statistics endpoint (GET /email-auth/dmarc/stats/{zone}?days=30) returns:

{
  "summary": {
    "total_messages": 12543,
    "passed_count": 11890,
    "failed_count": 653,
    "pass_rate": 94.8,
    "report_count": 45
  },
  "top_senders": [
    {
      "source_ip": "192.0.2.50",
      "message_count": 5230,
      "pass_rate": 98.2
    },
    {
      "source_ip": "198.51.100.10",
      "message_count": 3100,
      "pass_rate": 92.5
    }
  ]
}

9. How to Interpret Results

Normal

• Pass rate above 90%. Most messages are authenticating correctly. SPF and DKIM are properly configured and aligned with the From header.
• Top senders show known mail servers (your ESP, internal mail servers) with high pass rates. These are legitimate sources.
• Failed count is low and consists of expected failures (forwarded mail, mailing list modifications, etc.).
• Reports arrive daily from major receivers (Google, Microsoft, Yahoo). This indicates your DMARC record is correctly published and the RUA address is reachable.

Unexpected or worth investigating

• Pass rate below 70%: A significant portion of messages are failing alignment. Check that SPF and DKIM records are published and that your mail servers are configured to sign messages with DKIM and pass SPF checks.
• Unknown IP addresses in top senders: Source IPs you do not recognize may indicate unauthorized senders using your domain. Investigate these IPs. If they are legitimate (e.g., third-party service sending on your behalf), ensure they are included in your SPF record and configured for DKIM.
• Zero reports received: If no reports appear after 48 hours, verify the _dmarc record is published and the RUA email address is correct. Check that email receivers are sending reports to the CertaDNS address.
• All messages failing from known senders: A legitimate mail server showing 0% pass rate indicates SPF or DKIM misconfiguration. Verify the SPF record includes the IP and the server is signing with a valid DKIM key.
• High disposition=reject count with policy=none: Some receivers are applying reject despite your policy being set to none. This may indicate the receiver has their own policy overrides or local rules. No action needed unless legitimate mail is blocked.

Common interpretation mistakes

• Expecting 100% pass rate: Some failures are normal due to email forwarding, mailing list modifications, and transient DNS issues. A pass rate above 95% is considered healthy.
• Confusing SPF/DKIM pass with alignment: A message can pass SPF or DKIM checks but still fail DMARC if the domain in the check does not align with the From header. Alignment requires the domain to match (relaxed) or exactly match (strict).
• Ignoring subdomain traffic: Reports include subdomains unless a separate sp policy is defined. Traffic from subdomains contributes to the overall pass/fail counts.
• Treating forensic (RUF) and aggregate (RUA) as the same: RUA reports are statistical summaries (what this feature collects). RUF reports are individual message samples sent in real time. Most receivers do not send RUF reports due to privacy concerns.

10. Common Issues and Explanations

"DMARC configuration already exists for this zone" error

You can only create one DMARC configuration per zone. If a configuration already exists, edit or delete it before creating a new one. This constraint ensures only one _dmarc record is active per zone.

"DMARC management requires Pro plan or higher" error

DMARC Reporting is only available on Pro and Elite plans. Free and Plus users can manually create _dmarc TXT records via DNS Record Management and collect reports using external tools.

No reports received after 48 hours

Verify the _dmarc TXT record is published and resolvable. Use dig _dmarc.{zone} TXT to confirm. Check that the RUA email address matches the format dmarc+{zone-with-dashes}@reports.certadns.com. Ensure your domain is sending email; receivers only send reports if they process messages from your domain. Note that some small receivers may not send reports at all.

"Failed to parse report" error on manual upload

The uploaded file is not a valid DMARC aggregate report. Ensure the file is in XML format (plain, gzip-compressed, or zip-compressed). The XML must conform to the DMARC aggregate report schema. Files with malformed XML, missing required tags, or non-UTF-8 encoding will fail parsing.

Pass rate suddenly dropped

Check the top senders list for new IP addresses. A new sender with high volume and low pass rate will lower the overall rate. Investigate whether this is a legitimate service that needs SPF/DKIM configuration or an unauthorized sender. Also check for recent changes to SPF or DKIM records that may have broken alignment.

Report shows DKIM or SPF pass but alignment fails

Alignment requires the domain in the DKIM signature (d=) or SPF check to match the From header domain. In relaxed mode, organizational domains must match (e.g., mail.example.com aligns with example.com). In strict mode, domains must match exactly. If your mail server signs with a different domain or uses a different envelope sender domain, alignment fails even if authentication passes.

Auto-publish enabled but DNS record not appearing

The DMARC record publishing cron runs every hour. If the configuration was created or updated recently, wait up to one hour. Verify auto_publish is enabled in the configuration. Check the zone's DNS records via the DNS Record Management page to confirm the _dmarc record exists. If the record still does not appear after one hour, the publishing job may have encountered an error; contact support.

"Zone not found or access denied" error

The zone you selected does not exist, has not been verified, or you do not have ownership permissions. Verify the zone appears in your Managed DNS Zones list and has been successfully verified.

11. Limits and Constraints

Constraint	Value
Plans with access	Pro, Elite
Configurations per zone	1
Report list max results	100 most recent reports
Stats period range	1-90 days
Top senders displayed	10 (by message count)
IMAP processing frequency	Every 15 minutes
Emails processed per run	100
DMARC record TTL	3600 seconds (1 hour)
Publishing cron frequency	Every hour
RUA email format	dmarc+{zone-with-dashes}@reports.certadns.com
Duplicate prevention	By report_id + org_name

• Report attachments must be XML (plain, .gz, or .zip format). Other formats are rejected.
• Reports are uniquely identified by the combination of report_id and org_name. Duplicate reports are ignored.
• Processed emails are moved to the Processed folder. Failed emails (parsing errors, zone not found) are moved to the Failed folder.
• Manual uploads contribute to statistics and appear in the report list like automatically collected reports.
• DMARC records are published with a TTL of 3600 seconds. Changes to the configuration require up to one hour to propagate to DNS resolvers after the publishing cron runs.

12. Related Features

• SPF Flattening — SPF pass/fail results contribute to DMARC alignment. Ensure your SPF record is correctly configured and includes all legitimate sending IPs.
• DKIM Key Management — DKIM pass/fail results contribute to DMARC alignment. Configure DKIM keys and ensure mail servers sign messages with your domain.
• DMARC Policy Wizard — Guided workflow for progressing from monitoring (p=none) to enforcement (p=quarantine or p=reject) based on pass rate thresholds.
• Managed DNS Zones — Import and verify zones where DMARC configurations are created. DMARC records are TXT records at the _dmarc subdomain.
• DNS Record Management — View, edit, and delete DNS records including _dmarc TXT records. Use this to manually publish or remove DMARC records if auto-publish is disabled.

13. Updates and Behavior Changes

• DMARC Reporting was introduced as a Pro and Elite exclusive feature. Free and Plus plans must configure DMARC manually.
• The auto-publish option was added to allow users to manage _dmarc records manually if they prefer external control over DNS changes.
• Report deduplication by report_id and org_name was implemented to prevent duplicate processing when receivers resend the same report.
• The statistics pass rate color coding thresholds were defined as: green ≥90%, yellow ≥70%, red <70%.