Spent some time analyzing DMARC report emails from the last 3 days across nearly 3,500 reporting organizations and the results surprised me enough that I figured this subreddit would appreciate it.
When looking at organizations that sent a substantial volume of reports, only 9 were fully RFC compliant. Most major senders had at least one issue.
The most common problems were pretty basic: missing required fields like version, envelope_from, and SPF scope, invalid attachment filenames/media types, empty <sp/> tags, and invalid values like sampled_out, unknown, hardfail, and even Pass with a capital P.
Some big providers came close. Comcast, Microsoft, and Fastmail were nearly compliant but still had edge case issues.
Others were much worse. Yahoo, Google, Amazon SES, and Mimecast generated large volumes of non-compliant reports.
At scale, these “small” XML issues become real interoperability problems. They break parsers, create data loss, and force DMARC platforms to build endless parser workarounds.
What surprised me most is how something as clearly documented as an RFC can still be implemented so inconsistently, even by some of the organizations that helped shape the standard. Looking at you, Google, Microsoft, and Yahoo 😄
And for anyone thinking “how hard can parsing DMARC aggregate reports be?”, expect the unexpected. Real-world DMARC data is full of edge cases, missing fields, invalid values, and creative interpretations of the spec that you won’t find in the RFC examples.
More details here: https://www.uriports.com/blog/dmarc-reports-ietf-rfc-compliance/