A Beginner’s Guide to DMARC Aggregate Reports: Monitoring Email Authentication Like a Pro

DMARC aggregate reports (also called RUA reports) are XML files sent by mailbox providers that help you monitor whether your email authentication (SPF, DKIM) is working — and who else is sending mail on your behalf. They’re essential for catching spoofing attempts, fixing misconfigurations, and gradually enforcing your DMARC policy. This guide breaks down what they are, how to read them, tools you can use, and how to act on what they reveal.

What is DMARC? (Quick Refresher)

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a rule you set for your domain to tell receiving mail servers what to do if a message claiming to be from you fails SPF and/or DKIM checks.

DMARC tells mailbox providers:

• What action to take when SPF or DKIM fail (none, quarantine, or reject)

• Where to send reports about those failures

Think of DMARC like instructions you give to a bouncer at your party:

A basic DMARC record looks like this:

_dmarc.domain.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@domain.com; ruf=mailto:forensics@domain.com"

• p=reject: Reject messages that fail both SPF and DKIM

• rua: Send daily aggregate reports here

• ruf: Send real-time forensic failure reports here

What Are DMARC Aggregate and Forensic Reports?

Aggregate Reports (RUA)

RUA reports are daily XML summaries sent by mailbox providers like Google, Yahoo, and Microsoft. They include:

• Volume of email sent from your domain

• Sending IP addresses

• SPF and DKIM pass/fail outcomes

• Domain alignment and applied policy

Think of it as a daily scorecard for your domain’s email health.

Forensic Reports (RUF)

RUF reports are real-time alerts about individual emails that fail DMARC. These are more detailed and may include email headers or partial content.

What Are XML Files and the rua Tag?

What is an XML File?

XML (Extensible Markup Language) structures data using readable tags. Your DMARC aggregate reports come as .xml files and look like this:

<record>
  <source_ip>192.0.2.1</source_ip>
  <count>100</count>
  <policy_evaluated>
    <spf>pass</spf>
    <dkim>fail</dkim>
  </policy_evaluated>
</record>

Plain English:

"100 emails came from this IP. SPF passed, DKIM failed."

What is the rua Tag?

The rua tag in your DMARC record tells providers where to email aggregate reports:

rua=mailto:dmarc@yourdomain.com

You can send to multiple inboxes:

rua=mailto:dmarc@yourdomain.com,mailto:security@yourdomain.com

Or to a third-party parser:

rua=mailto:yourcompany@dmarc.postmarkapp.com

A Sample DMARC Aggregate Report (Translated)

<record>
  <source_ip>198.51.100.23</source_ip>
  <count>500</count>
  <policy_evaluated>
    <spf>pass</spf>
    <dkim>fail</dkim>
    <disposition>none</disposition>
  </policy_evaluated>
</record>

Meaning:

• 500 emails from IP 198.51.100.23

• SPF passed, but DKIM failed

• Since the policy is none, delivery wasn’t blocked

This could indicate a misconfigured sending tool or expired DKIM key.

Tools to Parse DMARC Reports

How to Set Up DMARC Reporting

1. Set Up SPF & DKIM

Ensure both are published and functioning correctly.

2. Publish a DMARC Record

Start with p=none:

_dmarc.domain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:forensics@yourdomain.com"

This lets you monitor without affecting deliverability.

3. Monitor Your Reports

Check for:

• New/unrecognized IPs

• DKIM or SPF failures

• High-volume senders

4. Fix Misconfigurations

• Add legit IPs to SPF

• Rotate DKIM keys if failing

• Remove spoofing platforms

5. Move to Enforcement

Progressively tighten your policy:

p=none → p=quarantine → p=reject

Common Mistakes

DMARC reports are your early warning system for domain abuse. And with tools like Mission Inbox, you can:

• Stay ahead of spoofing

• Monitor authentication health

• Build trust with mailbox providers

Want deeper protection and visibility?

Book a demo with Mission Inbox and lock down your sending reputation the right way.