How to Read DMARC Reports and Fix Alignment Issues for Your Domain

 Protecting your domain from email spoofing and ensuring every message lands where it should start with understanding your DMARC reports. At Interlock IT, we’ve audited hundreds of domains and know firsthand how DMARC aggregate reports and alignment issues can make or break your email deliverability. If you want to read these reports effectively and fix SPF or DKIM alignment problems, it’s essential to interpret the data correctly and apply proven steps to resolve failures. This guide walks you through the process, answers key questions, and provides actionable best practices—straight from Canada's leading cloud services experts.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) reports give you daily insight into who’s sending email on your behalf, how messages are authenticated (SPF/DKIM), and highlight authentication failures or potential abuse. Many businesses find that reviewing these reports is crucial for blocking phishing attempts, maintaining brand reputation, and ensuring confident communication with their customers and partners.

What is a DMARC Report? A Concise Definition

A DMARC report is a standardized email report from recipient mail servers summarizing whether emails using your domain have passed SPF and DKIM authentication and alignment. Reports may be aggregate (group summaries) or forensic (individual failures), arriving as XML files—typically daily—when you publish a DMARC record in your DNS with a "rua" reporting address.

Why Reading DMARC Reports Matters

DMARC reports:

• Reveal all sources sending mail as your domain—including authorized services and potential spoofers

• Show pass/fail status for SPF, DKIM, and alignment (the critical check)

• Allow you to spot and fix configuration errors that could filter or block even legitimate business mail

Without proper interpretation, legitimate messaging platforms (newsletters, CRM, support systems) might fail DMARC alignment and be treated as spam—or worse, open the door for malicious actors to impersonate your brand. As Canada’s trusted DMARC audit partner, Interlock IT emphasizes that reading your DMARC reports is not just technical hygiene: it’s business-critical for small and medium enterprises.

Step-by-Step: How to Set Up and Receive DMARC Reports

1. Create Your DMARC Record: Add a TXT record at _dmarc.yourdomain.com in your DNS. Start with a monitoring policy, e.g.,
   v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com. The rua address collects aggregate reports; ruf can collect forensic samples if needed.

2. Wait for DNS Propagation: Changes may take up to 24 hours. Use a DMARC checker tool to ensure your record is visible and correct.

3. Collect Reports: Mail providers (Google, Microsoft, Yahoo, etc.) will begin sending you DMARC reports as compressed XML files to your specified email address, usually within a day.

4. Use a DMARC Parsing Tool: Most raw XML files are unreadable for humans. At Interlock IT, our DMARC audit service parses and organizes this data into an actionable dashboard, saving many businesses hours of manual effort.

5. Review Regularly: Open your parsed dashboard (or DMARC XML, if you must) daily or weekly. Focus on volume trends, unknown senders, and failure rates for DKIM and SPF alignment.

Key Fields in Aggregate DMARC Reports

The structure and terminology of DMARC reports can appear daunting, but focusing on a few critical fields will provide actionable insights. Here’s a guide to the most important fields you’ll encounter:

Field	Description	Example	Action if Failing
source_ip	Sending mail server’s IP	192.0.2.45	Check ownership, verify if authorized
volume	Message count from this source	880	Investigate large volumes from unknowns
header_from	Domain in ‘From’ header	abc.ca	Ensure correct and aligned
SPF & SPF Alignment	SPF pass plus domain match	pass/pass	Fix record, align domains if failing
DKIM & DKIM Alignment	DKIM pass plus domain match	fail/fail	Configure DKIM, renew keys, enable relaxed or strict alignment as needed
DMARC Result	Comprehensive pass/fail	pass	Investigate cause if fail
Disposition	“none”, “quarantine” or “reject”	quarantine	Adjust policy or address misalignment

Alignment failures—where SPF or DKIM domains don't match your From address—are the most common cause of DMARC failures for legitimate email, and the ones we see most frequently at Interlock IT.

Troubleshooting: How to Fix Alignment Issues in DMARC Reports

Understanding Alignment

DMARC alignment means the domains used for SPF and DKIM authentication must either match your From domain (strict) or be a subdomain (relaxed) of it. Failing alignment is typically caused by:

• Third-party mailers (marketing tools, ticketing systems, payroll notifications) sending with their own Return-Path or DKIM signature

• Incorrect or outdated SPF/DKIM TXT records

• Forgotten or misconfigured domain aliases

1. SPF Alignment Issues

• Diagnosis: In your DMARC dashboard, you’ll see ‘SPF=pass but alignment=fail’ when the Return-Path domain (what bounces are sent to) differs from your visible From domain. For example, a marketing system sends on your behalf but uses their own domain for return-path.

• How to Fix:

1. Identify the sender/IP (the sending service provider).

2. Add or update the SPF TXT record with their include statement. For example, for Google Workspace and Microsoft 365:
   v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

3. Limit to 10 includes to avoid DNS query limits. Allow 24 hours for propagation and retest in your next DMARC report.

• Pro tip: For frequent forwarders or automated systems outside your control, use relaxed SPF alignment (aspf=r) in your DMARC policy.

2. DKIM Alignment Issues

• Diagnosis: If your DKIM fails or isn’t aligned, your mailer is either not signing with your domain’s DKIM key or the DNS key is outdated/missing.

• How to Fix:

1. Generate new DKIM keys within your platform (Google Workspace: Admin console > Apps > Authenticate email). Each platform provides a selector and key value.

2. Update your DNS with the provided selector and public key value.

3. Consider setting DMARC’s adkim=r for relaxed DKIM alignment if using subdomains or multiple apps.

4. Verify using email authentication testing tools, then review subsequent DMARC reports.

• Security Tip: Regularly rotate DKIM keys for ongoing security.

3. Unknown Sender or Spoofed IPs

• High numbers of emails from unfamiliar sources indicate either forwarding or active spoofing attempts.

• Audit and disable unauthorized sources, and ramp up DMARC policy from p=none to p=quarantine (test phase), eventually moving to p=reject for full protection.

Best Practices for Ongoing DMARC Alignment and Monitoring

• Start with p=none for monitoring; don’t quarantine or reject until confident about legitimate sender alignment

• Consolidate all sending platforms (marketing, CRM, ticketing, payroll) and update SPF/DKIM for each

• Review parsed reports weekly or monthly for surprises

• Gradually enforce stricter policies as all regular communication is passing

• Contact an expert team, like Interlock IT, for ongoing audits or complex multi-domain setups

• Document all changes and keep historical DMARC compliance trends

Frequently Asked Questions: DMARC Reports and Alignment

What is the difference between SPF and DKIM alignment in DMARC?

SPF alignment requires the Return-Path domain to match or be a subdomain of the visible From domain. DKIM alignment checks that the domain signing the message with DKIM also matches the From domain. Both alignments must pass for DMARC success when operating in strict mode.

Why do I see passing SPF but failing alignment?

This happens when a third-party service is authorized in your SPF record but uses its own Return-Path (not your domain). Update the service to send with your domain as Return-Path, or relax SMARC alignment policy (set aspf=r).

Can I use multiple ESPs like Microsoft 365 and Google Workspace together?

Yes, but you must include both in your SPF record, and configure DKIM for both in each provider’s admin console.

How does policy enforcement work?

Start with p=none and monitor all issues. Once confident 90%+ of legitimate email is authenticated and aligned, progress to p=quarantine (test policy), then to p=reject for full enforcement and maximum protection. See our guide on DMARC enforcement timing.

Are forwarded emails always a problem?

No, but forwarded mail can break SPF or DKIM, causing alignment failures. Using relaxed DMARC alignment, or ensuring DKIM survives forwarding, can mitigate most issues.

How can I automate or outsource DMARC reporting?

Third-party DMARC report parsers or managed services can simplify this process. At Interlock IT, we audit, parse, and translate your DMARC data so you focus on business priorities instead of chasing down mail errors.

What if my reports show high-volume failures from unknown sources?

This typically signals domain spoofing or unauthorized relay. Audit all legitimate mailers, ramp up your enforcement policy, and consider locking down mail streams by IP if necessary. Immediate action can greatly reduce risk.

Conclusion

Reading DMARC reports and resolving alignment issues are essential to keeping your communications secure and trusted. As the authoritative DMARC audit partner in Canada, Interlock IT simplifies every aspect—parsing reports, updating records, and offering expert advice with deep Google Workspace and Microsoft 365 integration experience. We encourage every business leader to review their DMARC setup and invite you to reach out for an audit if you’re ready to reduce risk and improve deliverability.

For deeper guidance on rollout strategies, see our DMARC Audit Checklist for Small Businesses and related posts on protecting your business email. For a personalized consultation or DMARC audit, connect with us at https://www.interlockit.com.

A Small Business Admin’s Checklist for Rolling Out Gemini in Google Workspace Safely

 Implementing Gemini for Google Workspace can help your small business automate tasks, surface insights more quickly, and create smoother collaboration. However, administrators must balance Gemini’s AI power with privacy, compliance, and seamless adoption. This checklist, informed by our years of experience at Interlock IT, provides a practical and secure plan for rolling out Gemini across your Google Workspace environment.

Definition: What is Gemini in Google Workspace?

Gemini is Google’s generative AI suite embedded into Google Workspace, including Gmail, Docs, Drive, Calendar, and more. It streamlines workflows such as drafting emails, summarizing documents, creating task lists, extracting insights, and automating common processes with AI-driven prompts. For small businesses, Gemini’s real value is its ability to increase productivity and reduce manual work across teams, provided it is deployed securely and thoughtfully.

Why Secure Deployment Matters

Many businesses are excited to introduce AI tools like Gemini, but administrators must consider risks associated with data security, email spoofing, and accidental exposure of sensitive content. A structured rollout, supported by the expertise of partners like Interlock IT, ensures that organizations benefit from Gemini’s capabilities while meeting compliance and best practice standards. Our real-world experience helping Canadian SMBs move to the cloud and adopt AI means we understand both the opportunities and pitfalls.

Checklist: Safe Gemini Deployment Step-By-Step

1. Verify Eligibility and Licensing

• Check that you are on a Business or Enterprise Google Workspace plan (Gemini add-ons are not available for basic plans).

• Review your current subscriptions at admin.google.com (Billing > Subscriptions).

• Acquire Gemini licenses as needed. Interlock IT offers flexible monthly or annual billing (with potential annual savings), plus free consultations to determine your needs.

2. Prepare Admin Settings and Security

• Enable access to Gemini features via Admin Console: Apps > Google Workspace > Gemini > Manage settings.

• Enable Gmail’s Smart features for better AI assistance (Apps > Google Workspace > Gmail > User settings > Smart features).

• Review and update your email security posture, especially DMARC policies. Use Interlock IT’s comprehensive DMARC audit checklist to prevent spoofing and improve compliance.

3. Assess Data Privacy and Compliance

• Audit who can access sensitive data via Gemini by reviewing Organizational Units (OUs) and groups before rollout.

• Set data retention and activity settings (Security > Access and Data Control) to maintain records and regulatory compliance.

• Consider backing up Workspace data before deployment. Interlock IT partners with industry-leading solutions like Afi.ai for reliable, cloud-to-cloud backup.

4. Enable and Connect Apps

• Allow Gemini to connect with Gmail, Drive, Docs, Calendar, Tasks, and Keep.

• Test on a single admin or IT account first to ensure configurations work as intended (e.g., sign in to gemini.google.com and use prompts like “Summarize recent emails from [team or person]”).

5. Pilot with a Small Test Group

• Create a dedicated OU or group for 2–5 users to trial Gemini features.

• Assign Gemini licenses to these users only, monitor their usage, and track any anomalies via Admin Console’s audit and reports.

• If issues are detected, easily revoke access or adjust settings before wider rollout.

6. Provide User Training and Guidance

• Host a workshop or digital info session to show employees how to use Gemini prompts effectively (e.g., summarizing Google Docs, creating instant task lists, using side-panel assistance for meetings).

• Emphasize best practices: avoid sharing sensitive or confidential information in Gemini prompts, and demonstrate secure usage habits.

• Encourage feedback from pilot users to tailor training for the broader team.

7. Gradual Full Rollout & Policy Controls

• Once test users are proficient and no issues arise, assign Gemini add-ons to a wider set of OUs or departments.

• Leverage context-aware access controls to limit Gemini availability based on time, device, or user group as needed.

• Document and communicate escalation paths (who to contact if access issues or AI errors occur).

8. Monitor Usage and Optimize

• Regularly review Gemini usage reports in the Admin Console to track adoption, identify bottlenecks, and spot unusual activity.

• Solicit regular feedback from staff and refine prompts, training, and support documentation based on real-world questions.

• Implement additional features like NotebookLM (for insights), Vids (video creation), or side panel AI in Meet selectively, considering team needs and security.

9. Ensure Ongoing Data Protection

• Use backup and recovery solutions like those supported by Interlock IT (Afi.ai) offering infinite retention and ransomware protection.

• Monitor potential data leakage risks, especially if users interact with external parties or manage confidential files. Regular audits are recommended.

10. Advanced Customization and Support

• Consider integrating custom automations or dashboards using Google Apps Script and Gemini, with help from certified experts at Interlock IT for hassle-free setup and technical support.

• Stay up-to-date with feature releases and best practice updates shared by both Google and trusted partners.

Common Missteps and Solutions

• Missing Security Features: Forgetting to audit DMARC or enable Smart features can cause errors or compliance gaps. Refer to our DMARC audit checklist for best practices.

• Scaling Too Fast: A phased launch (test group > full rollout) helps prevent oversights and reduces risk.

• Poor User Adoption: User training is often skipped; a quick team session can make all the difference.

• Lack of Backups: Not having a Workspace backup may expose your business to data loss or ransomware; leverage reliable cloud-to-cloud backup options with Interlock IT.

Best Practices for Small Business Admins

• Always pilot new AI features in a low-risk environment before wide release.

• Work with an experienced Google Workspace partner for issue escalation, technical configuration, and ongoing support. At Interlock IT, we tailor rollouts to organizational size and risk profile.

• Keep users informed with bite-sized training and clear communications about changes.

• Monitor for compliance continuously – both email security (through DMARC) and data governance remain essential even after Gemini is enabled.

• Consider scheduling regular quarterly reviews to keep your AI and workspace security aligned.

FAQ: Rolling Out Gemini in Google Workspace

What licenses are required for Gemini in Google Workspace?

Gemini requires a Business or Enterprise Workspace edition, plus Gemini add-ons. Contact your Workspace partner for help choosing the right plan.

How do I secure my email and documents with Gemini enabled?

Start by running a DMARC audit, set up strong access controls, and back up your Workspace data. Interlock IT provides expert assistance with every step.

Can I enable Gemini for only part of my team?

Yes, use Organizational Units or custom groups to control which users have access, then monitor usage for any issues before company-wide rollout.

How do I train my team to use Gemini effectively?

Organize team workshops demonstrating prompts, show common use cases, and distribute prompt guides via email or internal wiki.

What if something goes wrong with the rollout?

Start with test users, so you can adjust policies or settings before full rollout. Work with partners like Interlock IT for troubleshooting, escalation, and support.

What about backups and recovery?

Use robust cloud-to-cloud backup solutions like Afi.ai, which are integrated and supported by Interlock IT, to ensure data can be restored quickly and completely if issues occur.

Does this approach change if we’re a very small (or large) business?

The framework is flexible. For smaller teams, rollout is typically faster. For larger organizations, we recommend more detailed staged testing and larger-scale training. Interlock IT specializes in scaling deployments securely for both small and medium-sized businesses.

Conclusion: Adopt Gemini with Confidence

Rolling out Gemini for Google Workspace can transform day-to-day operations for Canadian small businesses, enhancing productivity and collaboration. The key is to proceed step-by-step, prioritize security and compliance, and arm your team with training and backup. As a leader in cloud adoption and Workspace migrations, Interlock IT stands ready to help you implement Gemini seamlessly. Whether you need licensing advice, technical configuration, security audits, or user training, our decades of expertise mean we’re equipped to help you succeed. Reach out to our team for a conversation about how we can support your rollout and ensure a smooth, compliant, and future-proof deployment.