DMARC Report Parsing for Indie Hackers
As an indie hacker, you're constantly shipping, iterating, and talking to users. Email is often your primary communication channel, whether it's transactional, marketing, or support. You rely on emails landing in inboxes, not spam folders. This is where DMARC comes in, and understanding its reports is crucial, even if the raw XML looks like something from a forgotten ancient internet.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol designed to protect your domain from unauthorized use, such as spoofing and phishing. It builds on two older protocols, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), by adding a reporting mechanism and a policy for what to do with emails that fail authentication.
The core benefit for you is improved email deliverability and brand reputation. When you tell the world, "Only these services are allowed to send email from my domain," you're making it harder for spammers to impersonate you. The challenge? DMARC reports, sent daily to an email address you specify, are dense XML files. They're nearly impossible to read manually, especially when you're sending thousands of emails through multiple services. That's where parsing comes in – turning that XML into actionable insights.
What's in a DMARC Report Anyway?
A DMARC aggregate report provides a summary of all email traffic claiming to be from your domain over a specific period. It doesn't give you individual email details (that's what forensic reports, ruf, are for, but they're less commonly used due to privacy concerns). Instead, it tells you:
record: This section details a specific set of emails.source_ip: The IP address that sent the email.count: How many emails were sent from that IP.policy_evaluated: Shows the DMARC policy (p=,sp=) applied to these emails and whether SPF/DKIM passed or failed. Crucially, it also tells you if the alignment passed.
auth_results: For eachrecord, this section shows the raw SPF and DKIM authentication results.spf: Indicates if the SPF check passed or failed.dkim: Indicates if the DKIM check passed or failed.
The most important part here isn't just whether SPF or DKIM passed their individual checks, but whether they aligned with your From: domain. This distinction is where most DMARC failures happen.
The Alignment Problem: SPF and DKIM Explained
DMARC's power comes from its alignment requirement. For an email to pass DMARC, either SPF or DKIM (or both) must pass and align with the From: header domain.
SPF Alignment
SPF checks the Return-Path (also known as the envelope sender) domain against the From: header domain.
- Relaxed Alignment (recommended for most): The
Return-Pathdomain just needs to be the same organizational domain as theFrom:header domain. For example, if yourFrom:ishello@example.com, aReturn-Pathofbounces.mailprovider.comwould pass relaxed alignment ifmailprovider.comis your organization's domain (e.g., via a CNAME). - Strict Alignment: The
Return-Pathdomain must exactly match theFrom:header domain.
Why it fails: Many third-party email services (like SendGrid, Postmark, AWS SES) use their own domain in the Return-Path by default. If your From: header is you@yourdomain.com but the Return-Path is bounce.sendgrid.net, SPF will pass its initial check (because sendgrid.net is authorized to send for sendgrid.net), but it will fail DMARC's SPF alignment because sendgrid.net does not align with yourdomain.com.
The Fix: You need to configure the third-party service to use a custom Return-Path that's a subdomain of your domain. This typically involves adding CNAME records to your DNS.
DKIM Alignment
DKIM uses a digital signature attached to the email header. The signature includes a d= tag, which specifies the signing domain. DKIM alignment checks if this d= domain matches the From: header domain.
- Relaxed Alignment (recommended): The
d=domain just needs to be the same organizational domain as theFrom:header domain. - Strict Alignment: The
d=domain must exactly match theFrom:header domain.
Why it fails:
1. Third-party services: If a service signs emails with its own domain (e.g., d=mailchimpapp.net) while your From: is you@yourdomain.com, DKIM will pass its check but fail DMARC alignment.
2. Email Forwarding: When an email is forwarded, the contents and headers can be altered, invalidating the original DKIM signature.
The Fix: Configure the third-party service to sign emails using your domain. This usually involves adding specific CNAME records to your DNS that point to the service's DKIM keys.
Common Pitfalls and Real-World Scenarios
Here are some scenarios you'll likely encounter as an indie hacker, and how DMARC reports help you debug them.
Pitfall 1: Transactional Emails (AWS SES, Postmark, SendGrid)
These services are popular for their reliability and APIs. However, their default configurations can lead to DMARC alignment failures.
Example 1: AWS SES (Amazon Simple Email Service)
By default, when you send an email via SES, the Return-Path (for SPF) will look something like 0102018a1a3b4c5d-6e7f8g9h-0i1j-2k3l-4m5n6o7p8q9r@eu-west-1.amazonses.com. If your From: header is support@yourdomain.com, SPF will pass its check (because amazonses.com is authorized to send for itself), but it will fail DMARC SPF alignment because amazonses.com doesn't align with yourdomain.com.
To fix this and achieve SPF alignment, you need to set up a Custom MAIL FROM Domain in SES. This involves:
1. Choosing a subdomain, e.g., mail.yourdomain.com.
2. Adding an MX record for mail.yourdomain.com pointing to SES's inbound mail servers.
3. Adding an SPF TXT record for mail.yourdomain.com (e.g., v=spf1 include:amazonses.com ~all).
4. Configuring SES to use mail.yourdomain.com as your custom MAIL FROM domain.
After this, your Return-Path will become bounces@mail.yourdomain.com, which will align with yourdomain.com for DMARC SPF.
For DKIM with SES, you'll typically set up an Easy DKIM or Bring Your Own DKIM, which involves adding CNAME records that allow SES to sign emails with d=yourdomain.com, ensuring DKIM alignment.
Example 2: Postmark
Postmark is often praised for its deliverability. They make DMARC alignment relatively straightforward. When you add a sender signature, Postmark gives you two CNAME records:
* One for DKIM: pm-dkim.yourdomain.com CNAME pm-dkim.postmarkapp.com. This ensures emails are signed with d=yourdomain.com.
* One for SPF (Custom Return-Path): pm-bounces.yourdomain.com CNAME `pm