Understanding DMARC Reports

How to read and act on aggregate and forensic reports.

DMARC reports provide visibility into email authentication results. Understanding these reports is essential for identifying issues and tracking progress.

Aggregate Reports (rua)

Aggregate reports are daily XML summaries from receiving servers. They show how many emails passed/failed authentication, grouped by source IP. Configure rua in your DMARC record: rua=mailto:[email protected]. Multiple addresses are allowed. These reports help identify legitimate senders that aren't properly authenticated.

Forensic Reports (ruf)

Forensic reports (failure reports) provide details about individual authentication failures. They may include message headers and sometimes content. Many receivers don't send forensic reports due to privacy concerns. Configure with ruf=mailto:[email protected]. Useful for investigating specific incidents.

Interpreting Report Data

Look for source IPs with high failure rates. Check if these are legitimate services you forgot to authenticate. Legitimate services typically send from known IP ranges. Unknown IPs with your domain are likely spoofing attempts—exactly what DMARC should block. Track pass rates over time to measure progress.

Report Processing Tools

Raw DMARC reports are XML files that are hard to read manually. Services like Dmarcian, Valimail, and PowerDMARC parse reports into dashboards. They aggregate data, identify trends, and alert on issues. For small-scale monitoring, open-source parsers exist.

Put understanding dmarc reports to use. One key, the DMARC Validator API, live in minutes.

Scaling up?

Volume pricing, custom SLAs, and dedicated support for high-traffic teams.

Contact sales