DMARC Analyzer 2.0 - Aggregate Reports

Updated

Overview

The Aggregate Reports section in Mimecast DMARC Analyzer provides a comprehensive view of your email authentication performance across all domains. It is designed to help you:

  • Understand DMARC compliance over time
  • Analyze SPF and DKIM authentication results
  • Identify invalid or suspicious email flows
  • Drill down from a high‑level domain overview to specific sources, servers, and reporting organizations

To access the Aggregate Reports, follow these simplified steps:

  1. Log in to Mimecast Administration Console
  2. On the left panel, navigate to More Services | DMARC Analyzer 2.0 | Aggregate Reports

Aggregate reports are generated from DMARC XML reports that receiving mail servers send for your domains. Mimecast ingests and normalizes this data, then exposes it through a set of focused views:

9ec012fd-da8d-4136-853c-1338649f6a0a.png
  1. Aggregate Reports Overview – domain‑level performance and trends
  2. Per Source – behavior and status of individual message sources
  3. Detail View – granular, server‑level data with advanced filtering
  4. Per Organization – visibility into who is reporting on your domains

Considerations

Before working with Aggregate Reports, keep the following in mind:

Data Availability and Timing

  • DMARC aggregate reports are typically generated daily by receiving providers.
  • It can take up to 24–48 hours for new traffic patterns or configuration changes (e.g., SPF/DKIM/DMARC updates) to be fully reflected.

Scope of Data

  • Aggregate reports show summarized authentication outcomes (counts and percentages), not individual message content.
  • Use them to identify trends and problem patterns, rather than to investigate specific messages.

Domain and Subdomain Strategy

  • Ensure that all relevant domains and subdomains are configured in DMARC Analyzer so their DMARC XML reports are processed and visible.
  • When changing policies (e.g., from p=none to p=quarantine or p=reject), monitor aggregate reports closely to catch misconfigured sources early.

Authentication Alignment vs. Validation

  • Authenticated flows pass SPF or DKIM checks.
  • DMARC-compliant flows are authenticated and aligned with the domain in the From: header.
  • Understanding this distinction is critical when interpreting charts and tables across the Aggregate Reports views.

Using Multiple Views Together

  • Start with the Aggregate Reports Overview to understand overall posture.
  • Use Per Source to see which senders are causing issues.
  • Drill down in Detail View to identify problematic servers or geographies.
  • Check Per Organization to see how major providers are reporting on your domains.

Aggregate Reports Overview

The Aggregate Reports Overview tab gives a domain‑centric summary of DMARC, SPF, and DKIM performance.

Summary Cards

9ec012fd-da8d-4136-853c-1338649f6a0.png

At the top of the page, three summary cards provide a high‑level overview:

  1. DMARC Compliant
  • Shows the percentage of domains and messages that are DMARC‑compliant (SPF or DKIM aligned).
  • Includes the total number of messages (e.g., 340 / 440).
  1. Authenticated
  • Shows the percentage of domains and messages that are authenticated (SPF or DKIM valid), regardless of alignment.
  • Includes the total number of messages sent.
  1. Invalid Flows
  • Highlights the percentage of domains and messages where both SPF and DKIM failed.
  • Includes the total number of messages sent.

DMARC Status by Date Chart

A bar chart visualizes email volume over time by status:

  • DMARC Correct (green) – DMARC‑compliant messages.
  • Authenticated (blue) – authenticated but not DMARC‑compliant.
  • Invalid Flows (red) – authentication failures.

Use this chart to:

  1. Track trends after configuration changes (e.g., enabling DKIM, adjusting SPF).
  2. See the effect of moving from monitoring to enforcement.

DMARC Status Domains Table

A detailed table provides domain‑specific metrics:

  • From Domain – domain in the message From: header.
  • Volume – total number of messages for the domain.
  • DMARC Compliance – percentage of DMARC‑compliant messages.
  • DKIM Aligned / Authenticated / Failed – alignment, pass, and fail rates for DKIM.
  • SPF Aligned / Authenticated / Failed – alignment, pass, and fail rates for SPF.

Users can expand rows to see additional details for a specific domain, by clicking on the drop-down icon.

Search, Filters, and Date Range

  1. Search for Domain – quickly locate a specific domain.
  2. Filter by / Groups – refine the table by criteria such as domain groups.
  3. Date Range Selector – choose a custom analysis period (default is last 60 days; configurable via Start Date and End Date).

Aggregate Reports – Per Source

The Per Source View provides detailed insights into email authentication performance for individual message sources (e.g., ESPs, forwarders, third‑party services, or unauthorized senders).

Summary Cards

2026-01-15_12-32-53.png

Three summary cards group sources by behavior:

  1. DMARC Capable
  • Number of sources aligned with DMARC policies.
  • Includes total messages for these sources (e.g., 340 / 440).
  1. Forwarders
  • Number of sources where the sending domain differs from the original sending domain.
  • Includes total messages sent by forwarders.
  1. Failed
  • Number of sources where DMARC checks failed.
  • Includes total messages sent from failing sources.

Message Sources Table

2026-01-15_12-30-54.png

A table breaks down each message source and its performance:

  • Message Source – name of the platform or service (e.g., G Suite, Yahoo, Acme).
  • Source Type – label such as Forwarder, DMARC Capable, or Failed.
  • Status – operational status (e.g., “Investigation”, “Authorized”, “Unauthorized”).
  • Domains – number of domains associated with the source.
  • Volume – total number of messages for that source.
  • DMARC Compliance – percentage of messages that are DMARC‑compliant.
  • DKIM Verification – percentage of messages with valid DKIM signatures.
  • SPF Verification – percentage of messages with valid SPF records.

Row expansion provides additional detail for a given source.

Aggregate Reports – Detail View

Features and Functionality

The Detail View is the most granular Aggregate Reports view. It exposes per‑source and per‑server data so you can investigate specific flows and root causes of failures.

Summary Cards

74901d99-b528-4b5f-84e7-684d79e576ca.png

Two cards summarize the authentication status:

  1. DMARC Compliant
  • Number of sources that are DMARC‑compliant (SPF or DKIM aligned).
  • Includes both source count and messages (e.g., 4 sources, 340 / 440 messages).
  1. Invalid Flows
  • Number of sources where DMARC checks failed.
  • Includes total messages for these invalid flows.

Advanced Filtering

  • The Advanced Filtering panel lets you build targeted queries:
  • Filter by message source, status, domains, and other parameters.
  • Combine criteria to isolate specific patterns (e.g., failures from a region, provider, or IP range).

Message Sources Table

The main table shows source‑level detail similar to Per Source, optimized for investigation:

  • Message Source – name of the sending source.
  • Status – e.g., “Investigation”, “Authorized”, “Unauthorized”.
  • Domains – domain count linked to that source.
  • Volume – messages sent.
  • DMARC Compliance – DMARC‑compliant percentage.
  • DKIM Verification – DKIM pass rate.
  • SPF Verification – SPF pass rate.

You can expand each source to reveal server‑level detail.

Expanded Source Details (Server‑Level Data)

  • Expanding a row exposes deep technical information for each server associated with the source:
  • From Domain – domain in the message From: header.
  • IP Address – sending server IP.
  • PTR Record – reverse DNS record for the server.
  • Country – geographic location of the server.
  • Messages – volume for that server.
  • Policy Applied – DMARC policy outcome (e.g., “Quarantine”, “Reject”).
  • Override Reason – whether any override changed the policy outcome and why.
  • DKIM Verification – pass/fail status at server level.
  • SPF Verification – pass/fail status at server level.

Aggregate Reports – Per Organization

The Per Organization View focuses on DMARC XML reporters—the organizations (typically mailbox providers) that send DMARC aggregate reports for your domains.

7182a05e-f875-4b44-aae3-de470cb9a589.png

Top 10 DMARC XML Reporters Chart

A bar chart displays the top 10 organizations sending DMARC XML reports over the selected date range.

  1. Each bar is color‑coded per organization (e.g., Google, Yahoo, Outlook).
  2. The chart shows a daily breakdown of report volumes, helping you:
  3. See which providers are most active in monitoring your domains.
  4. Identify changes in reporting behavior over time.

Total Reporters Table

A table lists all organizations that have sent DMARC XML reports:

  1. Provider – name of the reporting organization or email provider (e.g., Google, Yahoo, Outlook).
  2. Total Reports – total number of DMARC XML reports received from that provider in the chosen date range.
  3. Users can search for a specific provider using Search for Provider.

 

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.