DMARC Analysis¶
Under DMARC, received DMARC aggregate reports (RUA) are visualised.
What Are DMARC Aggregate Reports?¶
DMARC aggregate reports are sent daily by recipient mail servers to the rua address configured in the DMARC DNS record. They contain anonymised statistics about which mails (by IP address) were sent on behalf of your domain and whether they passed DMARC, SPF, and DKIM.
Configuration¶
For nmg to receive DMARC reports, a rua address monitored by nmg must be set in the domain's DNS record:
nmg receives and processes DMARC reports automatically (via nmg-dmarc-ingest).
Analysis Interface¶
Filters¶
- Domain: Select the reporting domain
- Time Range: From-to date selection
- Source: Filter by reporting server (e.g.
google.com,microsoft.com)
Result Table¶
| Column | Description |
|---|---|
| IP | IP address that sent mail on behalf of the domain |
| Hostname | Reverse DNS hostname of the IP |
| Count | Total number of mails in this report |
| SPF | SPF result (pass / fail / none) |
| DKIM | DKIM result (pass / fail / none) |
| DMARC | Overall result (pass / fail) |
| Disposition | Action taken (none, quarantine, reject) |
Interpretation¶
- All pass + DMARC pass: Legitimate sending, correctly configured
- SPF fail + DKIM pass: Forwarding or mailing list — check if intentional
- Both fail: Third-party sending in the domain's name (possible spoofing attempt)
- Unknown IPs: Check whether own services (newsletter, CRM) are missing
Recommended DMARC Policy Progression¶
| Phase | Policy | Description |
|---|---|---|
| 1 | p=none |
Monitoring mode, no actions |
| 2 | p=quarantine; pct=25 |
25% of failing mails go to quarantine |
| 3 | p=quarantine; pct=100 |
All failing mails go to quarantine |
| 4 | p=reject |
All failing mails are rejected |