DMARCGuardian Practical help for DMARC, SPF, DKIM, and BIMI.

Blog · Dmarc

Why Your DMARC Report Parser Keeps Breaking (And How to Fix It)

By Dmarcguardian Editorial Team ·

If you have ever uploaded a DMARC aggregate report and watched your parser spit out an error, or worse, silently drop data, you are not alone. According to research from DMARC analytics provider URIports, only 9 out of approximately 3,500 reporting organizations consistently send fully RFC-compliant DMARC reports. The rest generate reports that break standard parsers, often in ways that are hard to debug and easy to blame on your own code.

This is a real problem for anyone building DMARC reporting pipelines. Tools like DMARCFlow exist precisely because the RFC and reality do not match and the gap causes data loss in production environments.

Here is why it happens and what to do about it.

Why DMARC Reports Fail to Parse

The DMARC aggregate report format is documented in RFC 7489, which specifies the structure of the XML payload, required fields, and expected values. In practice, parsers encounter two broad categories of failure: structural violations and value violations.

Missing Required Fields

Every DMARC aggregate report must include certain fields. The most commonly missing ones in non-compliant reports are:

  • version: the DMARC protocol version, which must appear in every report
  • envelope_from: the RFC 5321 Mail From domain used during the SMTP session
  • spf_scope: explicitly declares whether SPF was evaluated for mailfrom or helo - but many reports omit it or use invalid values

Without these fields, a strict XML parser will reject the document or produce incomplete data.

Invalid Attachment Filenames and Media Types

DMARC reports are delivered as email attachments with specific naming conventions. RFC 7489 specifies that aggregate reports should use a .zip extension and application/zip media type, but some senders use .gzip, .xml.gz, or other variants that cause parsers to skip them entirely or misclassify the content.

Empty Tags and Invalid Enumerated Values

A surprisingly common violation: empty tags, where the element (SPF scope) is present but contains no value. When a parser expects relaxed or strict and finds nothing, it throws an exception or defaults incorrectly.

Even more common: case-sensitive enumerated values written incorrectly. The RFC specifies lowercase, pass, fail, hardfail, but many major providers send Pass, Fail, hardfail (inconsistent casing), or even unsupported values like unknown, sampled_out, or the draft-era softfail. None of these should appear in a production DMARC report, but all of them do.

Which Providers Generate Non-Compliant Reports?

The short answer: almost all of them, at least some of the time.

URIports analysis found that Google, Yahoo, Amazon SES, and Mimecast generated large volumes of non-compliant reports. Comcast, Microsoft, and Fastmail came close to full compliance but still had edge case issues in their report-generating code.

The pattern is predictable: the more report volume a provider sends, the more edge cases their report generation encounters. When you are sending millions of aggregate reports per day, even a 0.1% rate of RFC violations becomes a constant stream of broken payloads for your parser.

This is not abstract. If you process DMARC reports at any scale, you have almost certainly received a report from Google or Yahoo that your parser could not handle cleanly.

How to Handle Non-Compliant DMARC Reports

The practical solution is not to demand better behavior from report senders, you have no control over that. The solution is to build or use a parser that does not assume RFC-perfect input.

Do Not Assume Clean Input

e RFC-perfect input.

 

Use a Parser That Handles Edge Cases

A DMARC parser that breaks on the first non-compliant report it encounters is not production-ready. DMARCFlow is designed to process DMARC aggregate reports in exactly this environment, normalizing RFC edge cases automatically before the data enters your reporting pipeline. This includes case normalization for SPF and DKIM results, default values for missing optional fields, and graceful handling of invalid enumerated values. The result is that you get usable data from reports that would otherwise crash your parser or produce gaps in your visibility.

If you are building your own pipeline, the principle to follow is the same: normalize everything before you process it, and log rather than crash on edge cases.

Report Failures Back

If a sending organization is generating reports that you cannot process, and their reports are the ones most relevant to your domain, it is worth notifying them. Most providers have a postmaster or abuse contact specifically for this purpose. A short, specific message with an example of the failing XML element tends to get faster responses than a generic complaint.

FAQ

Can I just ignore non-compliant reports?

You can, but you will have gaps in your visibility. Non-compliant reports often come from low-volume or problematic senders, exactly the cases where you want more data, not less. A parser that skips non-compliant reports silently underreports your actual sending landscape.

How do I tell a major email provider their reports are broken?

Most large providers have published postmaster pages with contact information for reporting issues:

  • Google: postmaster.google.com
  • Microsoft: postmaster.microsoft.com
  • Yahoo: postmaster.yahoo.com

 

Include the specific XML snippet that fails and the expected format from RFC 7489.

Does DMARCFlow handle non-compliant reports?

Yes. DMARCFlow normalizes RFC edge cases, including case normalization, missing field defaults, and invalid enumerated value correction, before the report data is processed. If a report has malformed XML or non-compliant field values, DMARCFlow extracts what it can rather than discarding the entire payload.

The Bottom Line

DMARC report parsing is a solved problem in theory and a messy problem in practice. The RFC exists, the format is documented, and yet real-world reports from real-world providers consistently deviate from the spec in ways that break strict parsers.

The fix is not to write a more careful parser - it is to write a more tolerant one. Treat every DMARC report as potentially non-compliant. Normalize before you process. And if your current tool drops data when it encounters an invalid Pass instead of pass, that tool is not production-ready.