Understanding DMARC Reports
DMARC reports are your eyes into how the world sees your email authentication. Learn how to read aggregate (RUA) and forensic (RUF) reports to monitor legitimate email and detect spoofing attacks.
What Are DMARC Reports?
When you publish a DMARC record with reporting addresses, receiving mail servers send you daily reports about emails claiming to be from your domain. These reports contain critical data for monitoring authentication health and detecting attacks.
Who Sends Reports?
Gmail, Outlook, Yahoo, and other major email providers send DMARC reports. They track ALL email claiming to be from your domain, whether it passes or fails authentication.
How Often Are Reports Sent?
Aggregate reports (RUA) are sent daily, usually within 24-48 hours of email activity. Forensic reports (RUF) are sent immediately when failures occur.
What Data Do Reports Contain?
Source IP addresses, authentication results (SPF/DKIM), volume of emails, DMARC policy applied, and disposition (delivered/quarantined/rejected).
Two Types of DMARC Reports
Aggregate Reports (RUA)
Aggregate reports provide statistical summaries of email authentication over 24-hour periods.
Format: XML files sent as email attachments (compressed with gzip)
Frequency: Daily (usually 24-48 hours after email activity)
Contains: Source IPs, message counts, SPF/DKIM results, DMARC disposition
Use case: Daily monitoring, trend analysis, compliance tracking
# Configure RUA in DMARC record:
v=DMARC1; p=quarantine;
rua=mailto:dmarc-reports@yourdomain.com;
pct=100
Forensic Reports (RUF)
Forensic reports provide real-time, detailed information about individual authentication failures.
Format: Individual email samples with full headers
Frequency: Real-time (sent immediately when failures occur)
Contains: Complete email headers, authentication results, failure reasons
Use case: Investigating specific failures, debugging authentication issues
# Configure RUF in DMARC record:
v=DMARC1; p=quarantine;
rua=mailto:dmarc-reports@yourdomain.com;
ruf=mailto:dmarc-forensic@yourdomain.com;
pct=100
Aggregate Report Structure
RUA reports are XML files with a standard structure defined by RFC 7489. Here's what each section contains:
1. Report Metadata
Who sent the report and what time period it covers:
<report_metadata>
<org_name>google.com</org_name>
<email>noreply-dmarc-support@google.com</email>
<date_range>
<begin>1704067200</begin> (Jan 1, 2025 00:00 UTC)
<end>1704153599</end> (Jan 1, 2025 23:59 UTC)
</date_range>
</report_metadata>
2. Policy Published
Your DMARC policy as seen by the receiving server:
<policy_published>
<domain>yourdomain.com</domain>
<p>quarantine</p>
<sp>none</sp>
<pct>100</pct>
</policy_published>
3. Record (Authentication Results)
Data for each unique sending source:
<record>
<row>
<source_ip>209.85.220.41</source_ip> (Google Workspace)
<count>1523</count>
<policy_evaluated>
<disposition>none</disposition> (delivered)
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
</record>
Key Metrics to Track
DMARC Compliance Rate
% of emails passing DMARC (SPF or DKIM aligned)
Target: 95%+ compliance
Formula: (Passing messages / Total messages) × 100
Top Sending Sources
Which IP addresses send the most email on your behalf
Expected sources:
- Google Workspace: 209.85.x.x, 172.253.x.x
- SendGrid: 167.89.x.x, 168.245.x.x
- Mailchimp: 205.201.x.x, 198.2.x.x
Authentication Failures
Messages failing both SPF and DKIM (potential spoofing)
Investigate if:
- Unknown IP addresses sending high volumes
- Sudden spikes in failures from specific sources
- Failures from legitimate ESPs (configuration issue)
Policy Disposition
What happened to failing emails (none/quarantine/reject)
<disposition>none</disposition> = Delivered (p=none)
<disposition>quarantine</disposition> = Spam folder
<disposition>reject</disposition> = Blocked
Managing Report Volume
High-traffic domains can receive hundreds of DMARC reports per day. Here's how to handle them:
Use Dedicated Email Addresses
Create separate mailboxes for RUA and RUF reports (dmarc-reports@, dmarc-forensic@) to avoid cluttering main inboxes.
Automate Report Processing
Use DMARC reporting tools (TrustYourInbox, Postmark, dmarcian) to automatically parse XML and visualize data. Manual analysis doesn't scale.
Set Up Email Filters
Filter reports by sender (google.com, outlook.com) or subject line to prioritize high-value reports.
Archive Old Reports
Keep last 90 days of reports for analysis, archive older reports to reduce storage costs.
- ✅ Legitimate senders passing: Google Workspace, SendGrid, Mailchimp all showing SPF/DKIM pass
- ⚠️ Known senders failing: Legitimate ESPs failing authentication = configuration issue
- 🚨 Unknown IPs with high volume: Potential spoofing attempts or unauthorized senders
- 📊 Compliance trends: Is your pass rate improving or declining over time?
- 🔄 New sending sources: Teams adding ESPs without notifying IT
Automatic DMARC Report Analysis
TrustYourInbox automatically parses, analyzes, and visualizes your DMARC reports. No manual XML parsing needed.