2026-04-21·6 min readDMARCEmail Security

What are DMARC aggregate reports?

When you publish a DMARC record for your domain, you can include a rua= tag that tells receiving mail servers to send you aggregate reports. These reports are XML files that summarize how email claiming to come from your domain performed against SPF and DKIM checks.

Every major email provider (Gmail, Outlook, Yahoo, and others) generates these reports. They arrive daily (sometimes more frequently) and contain data about every message that used your domain in the "From" header.

The formal name is "DMARC Aggregate Feedback Reports," defined in RFC 7489. Most people just call them RUA reports.

Why aggregate reports matter

Without aggregate reports, DMARC is a policy you set and hope works. With them, you get visibility into:

Who is sending email as your domain, including legitimate services and attackers alike

Whether SPF and DKIM are passing for your authorized senders

How much unauthorized email is being sent using your domain

Which IP addresses are sending on your behalf

This data is essential before tightening your DMARC policy from p=none to p=quarantine or p=reject. Moving to a strict policy without reviewing aggregate reports risks blocking legitimate email from third-party services you forgot to authorize.

What is inside an aggregate report?

Each report is an XML file (often gzip-compressed) containing:

Report metadata

The organization that generated the report (e.g., google.com)

The reporting period (start and end timestamps)

Your domain and the DMARC policy that was in effect

Record rows

Each row represents a group of messages from the same source IP with the same authentication results:

Field	Description
Source IP	The IP address that sent the messages
Count	Number of messages from that IP in this period
SPF result	pass, fail, softfail, neutral, or none
SPF alignment	Whether the SPF domain matches the From domain
DKIM result	pass or fail
DKIM alignment	Whether the DKIM signing domain matches the From domain
Disposition	What the receiver did: none, quarantine, or reject

How to read an aggregate report

Raw XML is not practical to read. A typical report from Gmail for a moderately active domain can contain dozens of rows. Here is a simplified example of what one record looks like:

<record>
  <row>
    <source_ip>209.85.220.41</source_ip>
    <count>142</count>
    <policy_evaluated>
      <disposition>none</disposition>
      <dkim>pass</dkim>
      <spf>pass</spf>
    </policy_evaluated>
  </row>
</record>

This tells you that 142 messages came from IP 209.85.220.41, both DKIM and SPF passed, and the receiver took no adverse action. You would then look up that IP to confirm it belongs to one of your authorized senders.

Setting up aggregate reports

Step 1: Add the rua tag to your DMARC record

Your DMARC DNS TXT record should include the rua tag:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

You can specify multiple recipients by separating them with commas.

Step 2: Create a mailbox or use a processing service

Aggregate reports arrive as email attachments. For low-volume domains, a dedicated mailbox works. For anything beyond a few reports per day, use a DMARC report processing tool that parses the XML and presents dashboards.

Step 3: Monitor for 2 to 4 weeks before changing policy

Start with p=none so no email is blocked. Review the reports to identify:

All legitimate sending services (Google Workspace, Mailchimp, your CRM, etc.)

Any services failing SPF or DKIM alignment

Unauthorized senders you need to block

Step 4: Fix alignment issues

Common fixes:

SPF failures: Add the sending service's include to your SPF record

DKIM failures: Enable DKIM signing in the sending service's settings

Alignment failures: Ensure the service sends using your domain, not a generic subdomain

Step 5: Tighten your policy

Once all legitimate sources pass both SPF and DKIM with proper alignment, move from p=none to p=quarantine, then to p=reject. Continue monitoring aggregate reports after each change to catch any regressions.

Common mistakes

Ignoring the reports entirely: setting rua but never reading the data defeats the purpose

Moving to p=reject too fast: tighten policy only after confirming all legitimate senders pass authentication

Not accounting for forwarded email: mailing lists and forwarding services often break SPF; DKIM is more resilient to forwarding

Letting the reports mailbox fill up: if the mailbox bounces, providers may stop sending reports

Forgetting third-party senders: marketing platforms, CRMs, helpdesks, and transactional email services all need to be authorized

Aggregate vs. forensic reports

DMARC defines two report types:

Aggregate (rua): Summaries of authentication results, sent daily, no message content

Forensic (ruf): Individual failure reports with message headers, sent in near real-time

Forensic reports are more detailed but raise privacy concerns, and many large providers (including Gmail) do not send them. Aggregate reports are the foundation of DMARC monitoring: start with these.

Key takeaways

DMARC aggregate reports show you who is sending email as your domain and whether it passes authentication

Set rua=mailto: in your DMARC record to start receiving reports

Use the reports to identify and fix SPF/DKIM issues before tightening your DMARC policy

Review reports for 2 to 4 weeks at p=none before moving to p=quarantine or p=reject

Process reports with a tool or dashboard rather than reading raw XML

Check your DMARC configuration now

ShareTwitter LinkedIn EmailRSS

Ready to check your domain?

Run all 18 security checks in 2 minutes. Free, no signup required.

Check your DMARC →

DMARC Aggregate Reports Explained: What They Are and How to Use Them