What does count mean in a DMARC XML report?

The count field is the number of messages that matched this specific combination of source IP, authentication results, and policy outcome during the reporting period. A single record can represent millions of messages from a high-volume sender like Google Workspace or Mailchimp.

What is the difference between dkim in policy_evaluated and dkim in auth_results?

The dkim field inside policy_evaluated tells you whether DKIM passed AND aligned with your From: domain (which is what DMARC cares about). The dkim section inside auth_results tells you the raw DKIM signature result for each domain that signed the message, regardless of alignment. You can have a raw dkim pass in auth_results but still fail DMARC if the signing domain does not align.

What does adkim and aspf mean in policy_published?

adkim controls DKIM alignment mode: r (relaxed) allows organizational domain matches, s (strict) requires exact domain matches. aspf controls SPF alignment mode with the same r/s values. Most domains use relaxed alignment (adkim=r, aspf=r) to accommodate subdomains and third-party senders.

DMARC XML Report Fields Explained — Complete Field Reference

Q: What does the source_ip field mean in a DMARC report?

The source_ip field contains the IP address of the mail server that sent the message claiming to be from your domain. This is the server that the receiving provider actually connected from — not the domain in the From: header. Identifying the source IP is critical for understanding which sending services are generating DMARC pass or fail results.

Q: What is the difference between disposition and policy_evaluated in a DMARC report?

policy_evaluated shows what DMARC actually decided to do with the message (none, quarantine, or reject), based on your published policy and the pct (percentage) tag. disposition is what the receiving mail server actually did with the message. These can differ when a server overrides the policy for local reasons.

You downloaded a DMARC aggregate report and opened the XML. What you saw probably looked like this: hundreds of nested elements with names like policy_evaluated, auth_results, and disposition. This reference decodes every field, one by one, in plain English.

NoteWhat is a DMARC aggregate report? — A DMARC aggregate report (also called an RUA report) is an XML file that receiving mail servers send to your domain to report how they handled mail claiming to be from you. Every Gmail, Outlook, and Yahoo server that receives your email sends one of these daily.

Top-level structure

Every DMARC XML file has exactly one root element: feedback. Inside it you will always find two metadata sections followed by one or more record elements.

<feedback>
  <report_metadata>…</report_metadata>
  <policy_published>…</policy_published>
  <record>…</record>
  <record>…</record>
</feedback>

The number of record elements equals the number of unique combinations of source IP, authentication result, and policy outcome observed during the reporting period. A single report from Google can have thousands of records.

report_metadata fields

The report_metadata block identifies who sent the report and when.

Field	Example value	What it means
`org_name`	Google LLC	The name of the receiving organization that generated this report. Common values: Google LLC, Microsoft Corporation, Yahoo Inc.
`email`	noreply-dmarc-support@google.com	The email address of the reporting organization. Not a contact you can reply to.
`report_id`	12345678901234567	A unique identifier for this specific report, assigned by the sender. Useful for deduplication when processing multiple reports.
`date_range/begin`	1751241600	Unix timestamp for the start of the reporting period. Typically 00:00:00 UTC of the report day.
`date_range/end`	1751327999	Unix timestamp for the end of the reporting period. Typically 23:59:59 UTC — so most reports cover exactly one day.

policy_published fields

The policy_published block records the DMARC policy that was in your DNS at the time the messages were received. This is a snapshot of your policy as the receiving server saw it — not your current policy.

Field	Possible values	What it means
`domain`	example.com	The domain for which this DMARC policy applies — the domain in your From: header.
`adkim`	r, s	DKIM alignment mode. r (relaxed) allows organizational domain matches. s (strict) requires exact domain match. Most domains use r.
`aspf`	r, s	SPF alignment mode. Same r/s values as adkim. Controls whether the SPF-authenticated domain must exactly match the From: domain.
`p`	none, quarantine, reject	Your DMARC policy for the organizational domain. none = monitoring only. quarantine = send to spam. reject = block the message.
`sp`	none, quarantine, reject	Subdomain policy. Applies to all subdomains not explicitly listed. If omitted, falls back to p.
`pct`	0–100	The percentage of non-passing messages to which the policy is applied. Useful for gradual rollout. pct=100 means full enforcement.

record — the core data

Each record represents a unique sending scenario observed during the reporting period. If Google saw 12 different IP addresses sending mail from your domain, there will be 12 or more records (potentially more if the same IP had different auth results).

row fields

Field	Example value	What it means
`source_ip`	209.85.128.0	The IP address of the mail server that delivered the message. This is the actual sending server — a Google Workspace IP, a Mailchimp relay, your own mail server, or a spoofing attempt.
`count`	4821	How many messages this record represents. One record can cover millions of identical authentication results from the same source. High counts from unknown IPs are a red flag.

policy_evaluated fields

This is what DMARC decided, based on your policy and the authentication results.

Field	Possible values	What it means
`disposition`	none, quarantine, reject	What the receiving server actually did with the message. May differ from your published policy if the server applied a local override.
`dkim`	pass, fail	Whether DKIM passed AND aligned with your From: domain. This is the DMARC DKIM result — a raw DKIM pass that is misaligned still shows as fail here.
`spf`	pass, fail	Whether SPF passed AND aligned with your From: domain. Same alignment logic applies: a pass on a misaligned domain shows as fail in DMARC context.

NoteDMARC pass requires only one of the two. — A message passes DMARC if either DKIM or SPF (or both) show pass in policy_evaluated. Both failing means the message failed DMARC entirely.

auth_results fields

The auth_results section gives you the raw authentication results, separate from alignment. This is where you diagnose why alignment failed.

Field	Example value	What it means
`dkim/domain`	mailchimp.com	The domain used in the DKIM signature — the `d=` value. If this does not match or share an organizational domain with your From: header domain, DMARC DKIM alignment fails.
`dkim/result`	pass, fail, temperror, permerror, neutral, policy, none	The raw DKIM signature verification result. `pass` = signature valid. `fail` = signature invalid or key missing. `permerror` = misconfigured DKIM record.
`dkim/selector`	k1	The DKIM selector used to find the public key in DNS. Useful for diagnosing which signing key was used.
`spf/domain`	mailchimp.com	The domain used in the SPF check — the envelope sender (Return-Path) domain. For DMARC alignment, this must match your From: domain.
`spf/result`	pass, fail, softfail, neutral, none, temperror, permerror	The raw SPF lookup result. `pass` = sending IP is authorized. `softfail` = IP not explicitly authorized (often ~all in SPF record). `fail` = IP explicitly blocked (-all).

Reading a complete record: annotated example

<record>
  <row>
    <source_ip>198.2.128.150</source_ip>     <!-- Mailchimp relay IP -->
    <count>12847</count>                      <!-- 12,847 messages -->
    <policy_evaluated>
      <disposition>none</disposition>         <!-- p=none, so no action -->
      <dkim>pass</dkim>                       <!-- DKIM aligned ✓ -->
      <spf>fail</spf>                         <!-- SPF not aligned ✗ -->
    </policy_evaluated>
  </row>
  <auth_results>
    <dkim>
      <domain>example.com</domain>            <!-- matches From: domain -->
      <selector>mc1</selector>
      <result>pass</result>                   <!-- signature valid -->
    </dkim>
    <spf>
      <domain>mcsv.net</domain>               <!-- Mailchimp envelope domain -->
      <result>pass</result>                   <!-- SPF passes for mcsv.net -->
    </spf>                                    <!-- but mcsv.net ≠ example.com -->
  </auth_results>
</record>

This record passes DMARC (because DKIM is aligned and passing) even though SPF alignment fails. The message is from Mailchimp, which signs with your domain via DKIM but sends using its own envelope domain.

Common field combinations and what they mean

DKIM (policy_evaluated)	SPF (policy_evaluated)	DMARC result	Most likely cause
pass	pass	PASS	Fully authenticated mail from a correctly configured sender.
pass	fail	PASS	Third-party sender (ESP like Mailchimp) with DKIM set up correctly but using its own envelope domain.
fail	pass	PASS	Your own mail server (SMTP) with correct SPF but no DKIM, or DKIM signing the wrong domain.
fail	fail	FAIL	Spoofing attempt, misconfigured sender, or forwarded mail that broke both SPF and DKIM.

Diagnosing failures: what to look for

High count DMARC failures from unknown IPs — Check the source IP against known ESP ranges. If it does not belong to any service you use, it is likely spoofing or phishing.
DKIM fail with auth_results showing pass — The DKIM signature verified, but the signing domain (dkim/domain in auth_results) does not align with your From: domain. Fix: configure your ESP to sign with your domain instead of its own.
SPF fail with auth_results showing pass — SPF verified for the envelope domain, but that domain does not align with your From: domain. Fix: either add the sending IP to your own SPF record or configure DKIM alignment instead.
disposition = quarantine or reject despite p=none — The receiving server applied a local policy override. This is rare but indicates the server ignores your published p=none in certain conditions.

TipInstead of manually parsing this XML, upload your report to the DMARC Labs analyzer. It decodes every field instantly, enriches each source IP with WHOIS data, and shows you pass/fail rates in a readable dashboard — no signup required.

Frequently asked questions

What does the source_ip field mean in a DMARC report?

The source_ip field contains the IP address of the mail server that actually delivered the message to the receiving provider. This is the outbound SMTP server — a Google Workspace relay, a Mailchimp IP, your office mail server, or a spoofing server. Identifying and cross-referencing these IPs is the core task in DMARC report analysis.

What is the difference between disposition and policy_evaluated?

policy_evaluated/disposition is what DMARC calculated should happen based on your policy and the authentication result. The actual disposition is what the receiving server did. These differ when a server applies a local override — for example, a mailbox provider might refuse to reject mail even when your policy says p=reject if the message passed a reputation check.

Why does count matter?

Count lets you prioritize. A failure with count=1 is background noise. A failure with count=500,000 means half a million of your emails are failing DMARC and potentially being rejected. Always sort your records by count descending before investigating.

Every field in the DMARC XML format serves a specific diagnostic purpose. The fastest way to analyze them without manually reading XML is to upload your report to DMARC Labs — your file is processed entirely in your browser, never sent to a server.