Skip to main content
New AI-powered DMARC analysis + open REST API See how → →
DMARC Reporting

Aggregate reports turn raw XML into
email authentication intelligence

DMARC aggregate reports (RUA) are daily XML summaries sent by receiving mail servers that show every IP address sending email from your domain, the volume of messages, and whether SPF, DKIM, and DMARC passed or failed for each source.

Analyze Your Reports Check Your DMARC Record
Definition

What is a DMARC
aggregate report?

An aggregate report is an XML file sent by email receivers - Google, Microsoft, Yahoo, and thousands of others - summarizing how email from your domain performed against SPF, DKIM, and DMARC checks over a reporting period (typically 24 hours).

Reports are triggered by the rua= tag in your DMARC record. Without it, you receive no reports and have zero visibility into who is sending email as your domain.

According to a 2024 DMARC.org survey, over 5.8 million domains publish DMARC records - but many still lack a rua= tag, leaving them blind to abuse.

Who sends aggregate reports
G
Google (Gmail / Workspace)
Largest reporter globally
M
Microsoft (Outlook / 365)
Second-largest reporter
Y
Yahoo / AOL
Major consumer volume
A
Apple (iCloud Mail)
Growing reporter since 2023
+
Other receivers
ISPs, enterprises, governments
Before & After

From raw XML to visual dashboard

Raw aggregate reports are XML files that can be thousands of lines long. A single domain receiving reports from Gmail, Outlook, Yahoo, and dozens of other receivers accumulates hundreds of files per day. Manually parsing them is not viable.

dmarc-report.xml 
<?xml version="1.0"?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <report_id>17438926547812</report_id>
    <date_range>
      <begin>1712188800</begin>
      <end>1712275199</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>example.com</domain>
    <p>none</p>
    <adkim>r</adkim>
    <aspf>r</aspf>
  </policy_published>
  <record>
    <row>
      <source_ip>142.250.115.26</source_ip>
      <count>14832</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
  </record>
</feedback>
app.dmarcreport.com / dashboard
94.2%
DMARC Pass
12
Senders
3
Warnings
G
Google Workspace
14,832 emails
SPF Pass DKIM Pass
M
Microsoft 365
6,241 emails
SPF Pass DKIM Pass
S
SendGrid
2,108 emails
SPF Pass DKIM Pass
?
Unknown sender
847 emails · 91.203.x.x
SPF Fail DKIM Fail
Report Structure

What's inside an aggregate report

Every aggregate report follows the same XML structure defined by RFC 7489. Three main sections tell you who reported, what policy they saw, and what happened to your email.

1 <report_metadata>

Identifies who sent the report (Google, Microsoft, Yahoo, etc.), the report ID, and the date range covered - typically a 24-hour window.

org_nameemailreport_iddate_range
2 <policy_published>

Shows the DMARC policy the receiver saw in your DNS at the time of evaluation - your domain, policy level, subdomain policy, and alignment modes.

domainpspadkimaspfpct
3 <record > row>

One row per sending source. Contains the IP address, message count, what the receiver did with the messages, and individual SPF/DKIM/DMARC results.

source_ipcountdispositiondkimspf
Step by Step

How to read aggregate reports

Whether you use a tool like DMARC Report or read XML manually, follow these four steps to extract actionable intelligence from every report.

1

Identify the reporter

Check <org_name> to see which receiver sent the report - Google, Microsoft, Yahoo, or others. This tells you where your email was delivered.

2

Check your policy

Review <policy_published> to confirm receivers see the correct DMARC policy, alignment modes, and percentage. Mismatches indicate DNS propagation issues.

3

Review each source

Examine each <record> row - the source IP, message count, and authentication results. Classify sources as legitimate senders or potential threats.

4

Investigate failures

For any source showing SPF or DKIM failures, determine if it is an authorized sender with a misconfiguration or an unauthorized sender spoofing your domain.

Troubleshooting

Common aggregate report issues

Not receiving reports

Missing or malformed rua= tag in your DMARC record. The rua= address must be a mailto: URI.

Use our DMARC Checker to verify your record is published correctly.

Too many reports to read

Active domains receive hundreds of XML files daily from receivers worldwide. Manual analysis does not scale.

DMARC Report ingests, parses, and classifies reports automatically - identifying 200+ email vendors.

External domain authorization

Sending reports to a mailbox on a different domain requires the receiving domain to authorize it via DNS.

Publish a TXT record at yourdomain._report._dmarc.receiverdomain with value v=DMARC1.

FAQ

Frequently asked questions

How often are DMARC aggregate reports sent?

Most receivers send aggregate reports once per day, covering a 24-hour reporting period. Large receivers like Google, Microsoft, and Yahoo typically deliver reports between 00:00 and 06:00 UTC. Some smaller receivers batch reports weekly.

Why am I not receiving DMARC aggregate reports?

The most common cause is a missing or malformed rua= tag in your DMARC record. Use our free DMARC Checker to verify. If you are sending reports to an address on a different domain, you need a _report._dmarc authorization record on the receiving domain.

Can I send DMARC reports to a domain I don't own?

Yes, but the receiving domain must authorize it. Publish a DNS TXT record at yourdomain._report._dmarc.receiverdomain with the value v=DMARC1. This prevents unauthorized mailbox flooding.

How long does it take to reach DMARC enforcement?

Moving from p=none to p=reject typically takes 9 to 18 months, with a minimum of 90 days at each policy phase. Aggregate reports are essential throughout this process - they are the only way to identify all legitimate senders before tightening your policy.

What is the difference between RUA and RUF reports?

RUA (aggregate) reports are daily XML summaries showing volume and authentication results for every sending source. RUF (forensic) reports provide per-message failure details including email headers and subject lines. Learn more on our forensic report page.

Stop reading raw XML

DMARC Report processes your aggregate reports automatically - classifying senders, tracking trends, and alerting you when authentication changes.

Start Free Trial

What Users Say About Our Report Analysis

G2 Leader - DMARC

Rated 4.8/5 on G2 · 469 verified reviews

G2 Momentum Leader - DMARC
DG

Dave G.

Owner

5/5

"DMARC Report has been invaluable in fixing email deliverability issues for our clients"

DMARC Report dashboard allows us to see easily what is compliant and what isn't compliant so we can quickly fix issues.

9/27/2022 Verified on G2
ZK

Zunaid K.

Director

5/5

"Essential tool for email delivery"

This tool helps us to implement DMARC reporting for our domains in an easy to use manner.

8/8/2024 Verified on G2
VU

Verified User in Information Technology and Services

5/5

"Best security tool for your own domains"

The weekly reports help me a lot to analyze quickly the emails sent from my domains and that gives me peace of mind.

8/31/2022 Verified on G2
Read all 469 reviews on G2 →