Say you've created your DMARC record and published it in the DNS, now you expect to see some nice reports dripping in, except that none can be found in your specified mailboxes! Why are you missing DMARC reports?
No worries. Let's find out!
Here is a checklist for troubleshooting the issue of not getting DMARC reports:
- is your DMARC record readily available in the DNS, and is the syntax correct?
- is external domain verification (EDV) set up on your domain?
- are the specified mailboxes working as expected?
- have any emails been sent since your published the DMARC record?
- retry after 1 day or 2;
- only some email service providers send forensic (failure) reports.
I will go through the list in detail below.
Check your DMARC record in the DNS
Email service providers (ESP) rely on the DMARC record published in the DNS to enforce the DMARC policy and find the recipient mailboxes by looking up the
ruf tags in the record. So the first thing here is to make sure your DMARC record is published correctly and accessible in the DNS. To do so, use our free DMARC checker to check your DMARC record. Watch out for the record availability and syntax correctness.
Here is a post on How to Check DMARC Record.
Check if external domain verification (EDV) is set up
When you use a
rua tag and publish a DMARC record like this:
v=DMARC1; p=none; rua=mailto:email@example.com;
you are requesting compliant email service providers to send aggregate reports to the specified email address
firstname.lastname@example.org. However, the owner of
email@example.com must grant you the permission before you can do so. Otherwise, these reports won't be sent to that particular email address. This is called external destination verification (EDV).
External destination verification works like this:
the owner of
reporting.compublishes an EDV record at:
with the value
v=DMARC1to the DNS, in order to enable EDV;
- before an email service provider sends an aggregate report to
firstname.lastname@example.org, it needs to check if
reporting.comhas allowed reports on
example.comto be sent to it. It does this by looking
example.com._report._dmarc.reporting.comup in DNS. If this record exists, and it's value is
v=DMARC1, the report will be sent; otherwise not.
Note that the above EDV record is per domain, i.e., it only allows reports on
example.com to be sent to
email@example.com. If you want reports on
anotherexample.com to be sent to
firstname.lastname@example.org, you will need to publish an EDV record for
If you want to allow reports on any domain to be sent to
email@example.com, publish a wildcard EDV record at:
If you are using DMARCLY to process your DMARC reports, you don't need to worry about EDV - DMARCLY handles that for you already.
Make sure your recipient mailboxes are accepting emails
It goes without saying that the specified mailboxes must be able to accept emails wit XML/zip/gz(ip) attachments so that DMARC reports can go through. If you are not seeing any report after a few days, check your mailbox settings to make sure nothing is blocking the incoming reports.
If you are using DMARCLY, you don't need to worry about this. DMARCLY mailboxes accept DMARC report emails just fine (of course).
There need to be emails sent from your domain
This is another obvious point: if there is no email sent from your domain, you won't see any DMARC report whatsoever! So make sure emails have been sent from the domain. In addition, if your email volume is low, there can be an additional few days before you receive your first reports.
Retry after 1 day or 2
ESPs send DMARC aggregate reports periodically, typically everyday by default. This means it's absolutely normal if it takes 1 day or 2 to get your first aggregate reports.
Only some ESPs support forensic reports
Unlike DMARC aggregate reports which are universally supported, only some ESPs support forensic reports. Many ESPs don't send forensic/failure reports due to the following reasons:
- forensic/failure reports contain personally identifiable information, like sender, recipient, subject, etc., therefore these ESPs don't send them to avoid privacy issues;
- supporting forensic/failure reports requires a lot of resources on the receiving server. For each failing email, a forensic report is generated. If a lot of spoofed emails are sent, it can bring the receiving server to its knees.
You won't get any forensic reports from ESPs who don't support forensic reports.
Upload historical data
In case you are so eager to see DMARC aggregate data in the dashboard and you don't want to wait until the next day, you can upload your historical data so that DMARCLY can render it.
Go to the upload page, and upload the DMARC aggregate report files there. Once uploaded, your data will show up instantly on the Aggregate Reports page. Remember to pick the correct date range when the reports were received when you view the data.
After you've struck the items off the checklist above, you should be fine. Just sit back, relax, and grab a beer. Your DMARC reports are on the way to your mailboxes!
However, if you are still experiencing issue at this point, please drop a line at: firstname.lastname@example.org. We are happy to help!
Protect Your Business Email
Get a 14 day trial. No credit card required.Create Account