How to Read DMARC Reports and Fix Alignment Issues for Your Domain

 Protecting your domain from email spoofing and ensuring every message lands where it should start with understanding your DMARC reports. At Interlock IT, we’ve audited hundreds of domains and know firsthand how DMARC aggregate reports and alignment issues can make or break your email deliverability. If you want to read these reports effectively and fix SPF or DKIM alignment problems, it’s essential to interpret the data correctly and apply proven steps to resolve failures. This guide walks you through the process, answers key questions, and provides actionable best practices—straight from Canada's leading cloud services experts.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) reports give you daily insight into who’s sending email on your behalf, how messages are authenticated (SPF/DKIM), and highlight authentication failures or potential abuse. Many businesses find that reviewing these reports is crucial for blocking phishing attempts, maintaining brand reputation, and ensuring confident communication with their customers and partners.

What is a DMARC Report? A Concise Definition

A DMARC report is a standardized email report from recipient mail servers summarizing whether emails using your domain have passed SPF and DKIM authentication and alignment. Reports may be aggregate (group summaries) or forensic (individual failures), arriving as XML files—typically daily—when you publish a DMARC record in your DNS with a "rua" reporting address.

Why Reading DMARC Reports Matters

DMARC reports:

• Reveal all sources sending mail as your domain—including authorized services and potential spoofers

• Show pass/fail status for SPF, DKIM, and alignment (the critical check)

• Allow you to spot and fix configuration errors that could filter or block even legitimate business mail

Without proper interpretation, legitimate messaging platforms (newsletters, CRM, support systems) might fail DMARC alignment and be treated as spam—or worse, open the door for malicious actors to impersonate your brand. As Canada’s trusted DMARC audit partner, Interlock IT emphasizes that reading your DMARC reports is not just technical hygiene: it’s business-critical for small and medium enterprises.

Step-by-Step: How to Set Up and Receive DMARC Reports

1. Create Your DMARC Record: Add a TXT record at _dmarc.yourdomain.com in your DNS. Start with a monitoring policy, e.g.,
   v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com. The rua address collects aggregate reports; ruf can collect forensic samples if needed.

2. Wait for DNS Propagation: Changes may take up to 24 hours. Use a DMARC checker tool to ensure your record is visible and correct.

3. Collect Reports: Mail providers (Google, Microsoft, Yahoo, etc.) will begin sending you DMARC reports as compressed XML files to your specified email address, usually within a day.

4. Use a DMARC Parsing Tool: Most raw XML files are unreadable for humans. At Interlock IT, our DMARC audit service parses and organizes this data into an actionable dashboard, saving many businesses hours of manual effort.

5. Review Regularly: Open your parsed dashboard (or DMARC XML, if you must) daily or weekly. Focus on volume trends, unknown senders, and failure rates for DKIM and SPF alignment.

Key Fields in Aggregate DMARC Reports

The structure and terminology of DMARC reports can appear daunting, but focusing on a few critical fields will provide actionable insights. Here’s a guide to the most important fields you’ll encounter:

Field	Description	Example	Action if Failing
source_ip	Sending mail server’s IP	192.0.2.45	Check ownership, verify if authorized
volume	Message count from this source	880	Investigate large volumes from unknowns
header_from	Domain in ‘From’ header	abc.ca	Ensure correct and aligned
SPF & SPF Alignment	SPF pass plus domain match	pass/pass	Fix record, align domains if failing
DKIM & DKIM Alignment	DKIM pass plus domain match	fail/fail	Configure DKIM, renew keys, enable relaxed or strict alignment as needed
DMARC Result	Comprehensive pass/fail	pass	Investigate cause if fail
Disposition	“none”, “quarantine” or “reject”	quarantine	Adjust policy or address misalignment

Alignment failures—where SPF or DKIM domains don't match your From address—are the most common cause of DMARC failures for legitimate email, and the ones we see most frequently at Interlock IT.

Troubleshooting: How to Fix Alignment Issues in DMARC Reports

Understanding Alignment

DMARC alignment means the domains used for SPF and DKIM authentication must either match your From domain (strict) or be a subdomain (relaxed) of it. Failing alignment is typically caused by:

• Third-party mailers (marketing tools, ticketing systems, payroll notifications) sending with their own Return-Path or DKIM signature

• Incorrect or outdated SPF/DKIM TXT records

• Forgotten or misconfigured domain aliases

1. SPF Alignment Issues

• Diagnosis: In your DMARC dashboard, you’ll see ‘SPF=pass but alignment=fail’ when the Return-Path domain (what bounces are sent to) differs from your visible From domain. For example, a marketing system sends on your behalf but uses their own domain for return-path.

• How to Fix:

1. Identify the sender/IP (the sending service provider).

2. Add or update the SPF TXT record with their include statement. For example, for Google Workspace and Microsoft 365:
   v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

3. Limit to 10 includes to avoid DNS query limits. Allow 24 hours for propagation and retest in your next DMARC report.

• Pro tip: For frequent forwarders or automated systems outside your control, use relaxed SPF alignment (aspf=r) in your DMARC policy.

2. DKIM Alignment Issues

• Diagnosis: If your DKIM fails or isn’t aligned, your mailer is either not signing with your domain’s DKIM key or the DNS key is outdated/missing.

• How to Fix:

1. Generate new DKIM keys within your platform (Google Workspace: Admin console > Apps > Authenticate email). Each platform provides a selector and key value.

2. Update your DNS with the provided selector and public key value.

3. Consider setting DMARC’s adkim=r for relaxed DKIM alignment if using subdomains or multiple apps.

4. Verify using email authentication testing tools, then review subsequent DMARC reports.

• Security Tip: Regularly rotate DKIM keys for ongoing security.

3. Unknown Sender or Spoofed IPs

• High numbers of emails from unfamiliar sources indicate either forwarding or active spoofing attempts.

• Audit and disable unauthorized sources, and ramp up DMARC policy from p=none to p=quarantine (test phase), eventually moving to p=reject for full protection.

Best Practices for Ongoing DMARC Alignment and Monitoring

• Start with p=none for monitoring; don’t quarantine or reject until confident about legitimate sender alignment

• Consolidate all sending platforms (marketing, CRM, ticketing, payroll) and update SPF/DKIM for each

• Review parsed reports weekly or monthly for surprises

• Gradually enforce stricter policies as all regular communication is passing

• Contact an expert team, like Interlock IT, for ongoing audits or complex multi-domain setups

• Document all changes and keep historical DMARC compliance trends

Frequently Asked Questions: DMARC Reports and Alignment

What is the difference between SPF and DKIM alignment in DMARC?

SPF alignment requires the Return-Path domain to match or be a subdomain of the visible From domain. DKIM alignment checks that the domain signing the message with DKIM also matches the From domain. Both alignments must pass for DMARC success when operating in strict mode.

Why do I see passing SPF but failing alignment?

This happens when a third-party service is authorized in your SPF record but uses its own Return-Path (not your domain). Update the service to send with your domain as Return-Path, or relax SMARC alignment policy (set aspf=r).

Can I use multiple ESPs like Microsoft 365 and Google Workspace together?

Yes, but you must include both in your SPF record, and configure DKIM for both in each provider’s admin console.

How does policy enforcement work?

Start with p=none and monitor all issues. Once confident 90%+ of legitimate email is authenticated and aligned, progress to p=quarantine (test policy), then to p=reject for full enforcement and maximum protection. See our guide on DMARC enforcement timing.

Are forwarded emails always a problem?

No, but forwarded mail can break SPF or DKIM, causing alignment failures. Using relaxed DMARC alignment, or ensuring DKIM survives forwarding, can mitigate most issues.

How can I automate or outsource DMARC reporting?

Third-party DMARC report parsers or managed services can simplify this process. At Interlock IT, we audit, parse, and translate your DMARC data so you focus on business priorities instead of chasing down mail errors.

What if my reports show high-volume failures from unknown sources?

This typically signals domain spoofing or unauthorized relay. Audit all legitimate mailers, ramp up your enforcement policy, and consider locking down mail streams by IP if necessary. Immediate action can greatly reduce risk.

Conclusion

Reading DMARC reports and resolving alignment issues are essential to keeping your communications secure and trusted. As the authoritative DMARC audit partner in Canada, Interlock IT simplifies every aspect—parsing reports, updating records, and offering expert advice with deep Google Workspace and Microsoft 365 integration experience. We encourage every business leader to review their DMARC setup and invite you to reach out for an audit if you’re ready to reduce risk and improve deliverability.

For deeper guidance on rollout strategies, see our DMARC Audit Checklist for Small Businesses and related posts on protecting your business email. For a personalized consultation or DMARC audit, connect with us at https://www.interlockit.com.