Email authentication is a frontline defense against spoofing and phishing attacks on behalf of your domain. While implementing SPF and DKIM is a critical initial step, enforcement through DMARC only works effectively when alignment is achieved. That’s where DMARC aggregate reports (RUA) become essential—they offer a bird’s-eye view of how your domain’s email is performing and whether SPF/DKIM align.
Let us walk you through auditing your domain’s SPF and DKIM alignment using DMARC aggregate reports.
Understanding Alignment
SPF Alignment
The Return-Path (SMTP MAIL FROM) domain must match the From: domain (either exact match for "strict" or root domain match for "relaxed").
DKIM Alignment
The domain in the DKIM signature (d= tag) must align with the From: domain.
DMARC Alignment
At least one of the protocols (SPF or DKIM) or both of them must pass and be aligned for DMARC to pass.
Ensure You’re Receiving DMARC Aggregate Reports
To receive DMARC Aggregate reports, it is essential that your published DMARC record includes a "rua" tag specifying the email address/es where these reports should be sent.
_dmarc.yourdomain.com IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"
Using a third party report analyzer will help you manage and monitor the reports effectively. With EasyDMARC’s dashboard the overwhelming number of reports is parsed and classified for easy reading:
Structure of DMARC Aggregate Reports
The reports are sent in XML format and include:
- Source IP and sending organization
- SPF and DKIM pass/fail results
- Alignment status of SPF and DKIM
- Volume of messages per outcome
- Policy result (none, quarantine, reject)
We can see an XML report example below and analyze it:
SPF Check
SPF pass: Confirm the sending IP is authorised in the SPF record of your domain.
SPF alignment: Confirm Return-path domain aligns with the From domain. 
Note: With aspf “relaxed” mode alignment can be achieved with subdomain as well. In case of “strict” mode, exact match is required.
DKIM Check
DKIM pass: The signature validates.
DKIM alignment: d= tag domain matches the From domain.
Identify and Fix issues
SPF
- Ensure the legitimate sending sources are whitelisted in the SPF record of the domain.
- Request that vendors use your domain (or subdomain) for bounce addresses (e.g. mailer@send.yourdomain.com).
DKIM
- Ensure that third-party senders DKIM-sign is using your domain (d=yourdomain.com).
Regularly checking your domain's SPF and DKIM settings through DMARC aggregate reports is essential—not merely a compliance task. This practice plays a crucial role in safeguarding your brand, thwarting phishing attempts, and ensuring your emails reach their intended recipients. By routinely analyzing alignment data and collaborating with your email providers, you can confidently progress toward full DMARC enforcement over time.