Guide

DMARC Reporting: How to Get, Read, and Act on Aggregate Reports

DMARC aggregate reports are the most underused tool in email security. They show exactly who is sending email as your domain — legitimate senders and attackers alike. Here's how to use them.

Updated

Aggregate reports are daily XML digests of who sent mail using your domain and whether SPF/DKIM passed and aligned. They are the feedback loop for DMARC policy. This guide covers mailboxes, XML structure, reading tools, triage, and forensic options. See aggregate reports and policy.

What DMARC reports are

Major receivers (Google, Microsoft, Yahoo, etc.) send compressed XML to rua= addresses. Each file contains records per source IP with auth results, DKIM domains, SPF domains, and disposition if policy applied.

How to start receiving reports

Add rua=mailto:dmarc@yourdomain.com to your DMARC TXT. Confirm the address receives mail and is not spam-filtered into oblivion. Reports usually arrive within 24 hours of first publish.

What the XML contains

High level: report_metadata (org, date range), policy_published (your p=, pct, alignment), and record rows with source_ip, count, and policy_evaluated. Each record includes auth_results for SPF and DKIM. You do not need to love XML — you need a workflow.

How to read reports without decoding XML

Use DomainPreflight DMARC Report Analyzer — paste XML, get charts and tables. Pair with how to read a DMARC report on the blog.

What to look for

Green paths: aligned SPF or DKIM with your From domain. Orange: partial passes — investigate alignment. Red: clear spoofing sources — plan blocks after legit mail is clean. Map IPs to owners (whois, ASN, ESP dashboards).

Acting on what you find

Fix legitimate senders first — add includes, DKIM, or correct From domains. Then tighten DMARC using guidance from DMARC fixes and the main DMARC guide.

How often to check

Weekly during rollout; monthly when stable. Re-check after any new vendor sends mail.

Forensic reports (ruf=)

Optional failure samples (ruf=mailto:...) — many providers suppress or redact for privacy. Treat aggregate as primary; forensic as bonus.

When leadership asks “are we spoofed?”, export a week of XML, run the analyzer, and show top IPs by volume. Pair numbers with policy context — p=none means observation, not protection. The DMARC setup guide explains when to move policy forward.

Reporting volume can spike after DNS changes — not every spike is abuse; some are misconfigured senders waking up. Differentiate by ASN and known ESP ranges before panicking.

Tool: Turn raw aggregate XML into a readable summary in seconds.

Open DMARC Report Analyzer →

Step by step

Step 1 Dedicated mailbox or alias — not a person who deletes attachments.
Step 2 Some providers batch daily; patience on day one.
Step 3 Tables beat raw XML for leadership updates.
Step 4 ASN and country often hint at ESP vs abuse.
Step 5 Use /fix/dmarc/ when a vendor misconfigures DKIM.
Step 6 Never jump to reject without this feedback loop.

FAQ

What is a DMARC aggregate report?

A daily XML file sent by major email providers showing every IP that sent email as your domain and whether SPF and DKIM passed.

How do I start receiving DMARC reports?

Add rua=mailto:dmarc@yourdomain.com to your DMARC TXT record. Reports arrive within 24 hours.

How do I read DMARC XML reports?

Use DomainPreflight DMARC Report Analyzer — paste the XML for a visual summary.

What should I do if I see a spoofing attempt in reports?

Fix any alignment failures from legitimate senders first, then upgrade to p=reject to block spoofed email.

How long should I collect reports before upgrading to p=reject?

Minimum 2-4 weeks of clean reports showing all legitimate senders aligned. Longer if you have complex email infrastructure.

← All learning guides

Open DomainPreflight →