A Beginner’s Guide to DMARC Aggregate Reports: Monitoring Email Authentication Like a Pro

Written by Ese Taverho | Jun 9, 2025 4:15:00 AM

DMARC aggregate reports (also called RUA reports) are XML files sent by mailbox providers that help you monitor whether your email authentication (SPF, DKIM) is working — and who else is sending mail on your behalf. They’re essential for catching spoofing attempts, fixing misconfigurations, and gradually enforcing your DMARC policy. This guide breaks down what they are, how to read them, tools you can use, and how to act on what they reveal.

What is DMARC? (Quick Refresher)

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a rule you set for your domain to tell receiving mail servers what to do if a message claiming to be from you fails SPF and/or DKIM checks.

DMARC tells mailbox providers:

What action to take when SPF or DKIM fail (none, quarantine, or reject)
Where to send reports about those failures

Think of DMARC like instructions you give to a bouncer at your party:

A basic DMARC record looks like this:

_dmarc.domain.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@domain.com; ruf=mailto:forensics@domain.com"

p=reject: Reject messages that fail both SPF and DKIM
rua: Send daily aggregate reports here
ruf: Send real-time forensic failure reports here

What Are DMARC Aggregate and Forensic Reports?

Aggregate Reports (RUA) reports are daily XML summaries sent by mailbox providers like Google, Yahoo, and Microsoft. They include:

Volume of email sent from your domain

Sending IP addresses
SPF and DKIM pass/fail outcomes
Domain alignment and applied policy

Think of it as a daily scorecard for your domain’s email health.

Forensic Reports (RUF)

RUF reports are real-time alerts about individual emails that fail DMARC. These are more detailed and may include email headers or partial content.

What Are XML Files and the `rua` Tag?

What is an XML File?

XML (Extensible Markup Language) structures data using readable tags. Your DMARC aggregate reports come as .xml files and look like this:

<source_ip>192.0.2.1</source_ip>

<policy_evaluated>

</policy_evaluated>

</record>

Plain English:

"100 emails came from this IP. SPF passed, DKIM failed."

What is the `rua` Tag?

The rua tag in your DMARC record tells providers where to email aggregate reports:

rua=mailto:dmarc@yourdomain.com

You can send to multiple inboxes:

rua=mailto:dmarc@yourdomain.com,mailto:security@yourdomain.com

Or to a third-party parser:

rua=mailto:yourcompany@dmarc.postmarkapp.com

A Sample DMARC Aggregate Report (Translated)

<source_ip>198.51.100.23</source_ip>

<policy_evaluated>

</policy_evaluated>

</record>

Meaning:

500 emails from IP 198.51.100.23
SPF passed, but DKIM failed
Since the policy is none, delivery wasn’t blocked

This could indicate a misconfigured sending tool or expired DKIM key.

Tools to Parse DMARC Reports

How to Set Up DMARC Reporting

1. Set Up SPF & DKIM

Ensure both are published and functioning correctly.

2. Publish a DMARC Record

Start with p=none:

_dmarc.domain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:forensics@yourdomain.com"

This lets you monitor without affecting deliverability.

3. Monitor Your Reports

Check for:

New/unrecognized IPs
DKIM or SPF failures
High-volume senders

4. Fix Misconfigurations

Add legit IPs to SPF
Rotate DKIM keys if failing
Remove spoofing platforms

5. Move to Enforcement

Progressively tighten your policy:

p=none → p=quarantine → p=reject

Common Mistakes

DMARC reports are your early warning system for domain abuse. And with tools like Mission Inbox, you can:

Stay ahead of spoofing
Monitor authentication health
Build trust with mailbox providers

Want deeper protection and visibility?

Book a demo with Mission Inbox and lock down your sending reputation the right way.

View full post