Docs / Reading DMARC reports

Reading DMARC reports

Understand your DMARC report dashboard: who is sending as your domain, what is passing SPF/DKIM, what is failing, and when to move toward p=reject.

Dashboard overview

The UglyDMARC dashboard shows a summary of DMARC aggregate (RUA) reports for your domain. Reports arrive once per day, usually between 4–6 PM UTC, and cover 24 hours of mail sending activity.

The main view displays:

  • Pass/fail rate: Percentage of messages that passed SPF/DKIM alignment vs. those that failed
  • Alignment status: Whether SPF (d/i alignment) and DKIM (d/i alignment) passed or failed
  • Source IPs and ESPs: The IP addresses sending mail for your domain and the associated email service providers (identified via reverse IP lookup)
  • Volume: Number of messages from each sender

Tip

First reports may take up to 24 hours to arrive. If you just set up your DMARC record, wait a full day before expecting data. Also, DMARC reports only arrive from receiving mail servers that support it — not all receivers send reports, so your numbers won't capture 100% of mail sent on your domain.

Pass and fail columns

Pass: Messages that passed both SPF and DKIM alignment checks (or one, depending on your policy). These are authenticated mail that won't be rejected or quarantined.

Fail: Messages that failed SPF and/or DKIM alignment. These could be:

  • New vendors or integrations you haven't added to SPF yet
  • Misconfigured sending systems on your own network
  • Phishing or impersonation attempts (the whole reason for DMARC)

Source IPs and ESP identification

The report shows each IP address sending mail for your domain, along with the identified sender:

  • Google: Gmail, Google Workspace
  • Microsoft: Outlook, Microsoft 365
  • SendGrid: SendGrid service
  • Mailgun: Mailgun service
  • AWS SES: Amazon SES
  • Unknown: An IP that doesn't match known ESP IP ranges (could be your internal mail server, a custom integration, or less common vendors)

Use this to identify which vendors and systems are sending as your domain. If you see an unknown IP that shouldn't be there, investigate — it might be a misconfiguration or a security issue.

Drilling into a sender

Click on a sender row to see detailed information:

  • Pass/fail breakdown for that specific sender
  • Timestamp of the last report
  • Policy override reason (if applicable)

If a sender is failing, check whether you've added its IP range to your SPF record on UglyDMARC (or to your existing SPF, if you're not using UglyDMARC synthesis). If it's a known vendor, add it to your authorized senders. If it's unknown, contact the sender to verify it's legitimate.

Moving toward rejection

DMARC policy moves in three stages:

  1. p=none

    Monitor mode. UglyDMARC collects reports, but receiving mail servers do not quarantine or reject messages, even if they fail. This is where you start. Use reports to:

    • Identify all legitimate senders on your domain
    • Verify that their SPF and DKIM are configured correctly
    • Add any missing vendors or integrations to your SPF

    Stay in p=none until you see a consistent pass rate (85%+) with no unexpected senders.

  2. p=quarantine

    Once you're confident about your authorized senders, move to p=quarantine. Receiving mail servers will quarantine (isolate to spam) messages that fail DMARC. This protects your domain from spoofing without rejecting legitimate mail outright.

    Update your _dmarc record:

    v=DMARC1; p=quarantine; rua=mailto:rua@reports.uglydmarc.com

    Monitor reports for a few days. If your pass rate stays high (95%+) and no legitimate mail is being quarantined, you're safe to move to rejection.

  3. p=reject

    The strongest policy. Receiving mail servers will reject (refuse delivery) for any message that fails DMARC. This completely prevents domain spoofing.

    Update your _dmarc record:

    v=DMARC1; p=reject; rua=mailto:rua@reports.uglydmarc.com

    Once you reach p=reject, failures will be rejected by receivers. Monitor reports regularly and add new senders to your SPF immediately if needed.

Interpreting first reports

First Reports

Your first DMARC reports often show a lower pass rate because they include mail from all sources — known vendors, internal systems, and sometimes spam or misconfigured integrations. This is normal. Use the first week's data to:

  • Catalog all legitimate senders (vendors, internal systems, integrations)
  • Verify each one has correct SPF and DKIM configuration
  • Identify any unexpected senders and investigate them
  • Add missing vendors to your SPF on UglyDMARC

Once you've cleaned up your senders and added them all to SPF, your pass rate should climb quickly.

Common scenarios

Low pass rate (below 80%)
You likely have senders on UglyDMARC (or on your domain) that aren't configured for SPF/DKIM. Drill into the failing senders and either add their IPs to your SPF or disable/reconfigure them. This is the most common situation in the first week.

Unknown IP appearing in reports
Check whether it's a vendor you use (but haven't configured yet) or a system on your network. If you don't recognize it, contact your IT team or hosting provider to verify. If it's legitimate and sending mail, add it to your SPF.

Seeing yourself in the reports (internal mail server)**
If you have an internal mail server, its IP will appear in reports. Add it to your SPF (on UglyDMARC or in your DNS SPF record) to ensure it passes DMARC alignment.