How to Read DMARC Aggregate and Forensic Reports

Learn what DMARC aggregate and forensic reports are, what data they contain, and how to use them before moving to quarantine or reject.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 10 min read Advanced

Introduction

DMARC reports help domain owners understand who is sending email using their domain and whether those messages pass SPF, DKIM and DMARC alignment. Reports are especially useful before moving from p=none to stricter policies such as quarantine or reject.

There are two main report types: aggregate reports and forensic reports. Aggregate reports provide summary data, usually in XML format. Forensic reports, also called failure reports, may include message-level failure details, but they are less commonly supported and can raise privacy concerns.

Quick answer

Quick answer

DMARC aggregate reports summarize which IPs and providers sent mail for your domain and whether SPF, DKIM and DMARC passed. Forensic reports provide more detailed failure samples, but they are less commonly sent. Use DMARC reports to identify legitimate senders, unknown sources and authentication problems before enforcing quarantine or reject.

DMARC reports

DMARC reports are feedback reports sent by participating receiving mail servers. They help domain owners see how mail claiming to be from their domain is being authenticated.

  • Which sources sent mail
  • How many messages were seen
  • Whether SPF passed
  • Whether DKIM passed
  • Whether DMARC alignment passed
  • What policy was applied
  • Whether unknown sources are sending mail

DMARC reports are usually enabled with the rua and ruf tags in the DMARC record.

Aggregate vs forensic reports

Aggregate reports

  • Sent using the rua tag
  • Summary-level data, usually XML files
  • Show source IPs, counts and authentication results
  • Useful for monitoring and enforcement planning
  • Commonly supported

rua=mailto:dmarc@example.com

Forensic reports

  • Sent using the ruf tag
  • Message-level failure samples
  • May include more sensitive details
  • Less commonly supported
  • Useful for investigating specific failures

ruf=mailto:dmarc-forensic@example.com

Most domains should start with aggregate reports. Forensic reports are optional and may not be sent by many receivers.

Reporting tags

rua

Aggregate report destination. Example: rua=mailto:dmarc@example.com

ruf

Forensic/failure report destination. Example: ruf=mailto:dmarc-forensic@example.com

fo

Failure reporting options for forensic reports. Example: fo=1

pct

Percentage of messages affected by policy. Example: pct=50

For most beginner setups, rua is the most important reporting tag.

Aggregate report contents

Aggregate reports usually contain summary data for a reporting period.

  • Reporting organization
  • Report date range
  • Source IP address
  • Message count
  • DMARC disposition
  • SPF result
  • DKIM result
  • SPF alignment result
  • DKIM alignment result
  • Header From domain
  • Policy applied

Aggregate reports do not usually show the full email content. They are designed for monitoring patterns, not reading individual messages.

How to read reports

  1. 1. Identify the source IP

    Check which IP address sent mail claiming to be from your domain.

  2. 2. Check message count

    Look at how many messages came from that source.

  3. 3. Identify the provider

    Match the IP or sending domain to Google, Microsoft, hosting server, CRM, marketing platform or unknown sender.

  4. 4. Review SPF and DKIM results

    Check whether SPF and DKIM passed or failed.

  5. 5. Check DMARC alignment

    Confirm whether SPF or DKIM aligned with the visible From domain.

  6. 6. Review disposition

    See whether the receiver applied none, quarantine or reject.

  7. 7. Decide action

    Classify the source as legitimate, misconfigured, unknown or suspicious.

Why this matters

Why this matters

DMARC reports matter because they show what is actually happening with your domain’s email. Without reports, you may not know which services send legitimate mail, which sources fail authentication, or whether unknown systems are spoofing your domain.

Reports are especially important before enforcement. Moving to quarantine or reject without reading reports can block legitimate mail.

How to check reporting

Use DMARC Checker to inspect your DMARC record and confirm whether reporting addresses are configured.

When checking reporting, review

These five checks help confirm DMARC reporting is set up correctly.

rua tag

Confirm aggregate reports are enabled.

Reporting mailbox

Make sure the report address exists and can receive XML attachments.

ruf tag

Check whether forensic reports are configured intentionally.

Policy

Check whether the domain is monitoring, quarantining or rejecting.

SPF/DKIM readiness

Reports are most useful when SPF and DKIM are also configured.

Check DMARC reporting

Use DMARC Checker to verify your policy, rua, ruf and reporting configuration.

Run DMARC Check →

Common problems

No rua address configured

Medium

The domain has DMARC but does not request aggregate reports.

Next step: Add a rua address or DMARC report service to collect reports.

Reports sent to an unmonitored mailbox

Medium

Reports may arrive, but no one reviews them.

Next step: Use a monitored mailbox or reporting platform.

Raw XML is difficult to read

Low

Aggregate reports are often compressed XML files that are hard to interpret manually.

Next step: Use a DMARC report parser or service.

Unknown sending sources appear

High

Reports show IPs or providers you do not recognize.

Next step: Investigate whether they are legitimate services, old systems or spoofing attempts.

Legitimate provider fails alignment

Medium

A known sender passes SPF or DKIM but fails DMARC alignment.

Next step: Configure custom DKIM or Return-Path alignment for that provider.

Reports are not arriving

Medium

Not all receivers send reports, or the report address may be invalid.

Next step: Confirm rua syntax, mailbox availability and DNS record validity.

Forensic reports expose sensitive data

Medium

Failure reports may include message-level information depending on receiver behavior.

Next step: Use ruf carefully and understand privacy implications.

How to use reports

  1. Step 1: Start with p=none

    Use monitoring mode while collecting data about legitimate and unknown senders.

  2. Step 2: Add an aggregate report address

    Configure rua with a mailbox or DMARC reporting service.

  3. Step 3: Collect reports for a period of time

    Wait until reports show normal sending patterns from major receivers.

  4. Step 4: Identify legitimate senders

    Match source IPs and providers to your real mailbox, CRM, marketing, transactional and hosting services.

  5. Step 5: Fix authentication gaps

    Enable DKIM, adjust SPF and configure alignment for legitimate providers.

  6. Step 6: Investigate unknown sources

    Classify unknown sources as old systems, vendors, forwarding behavior or suspicious spoofing.

  7. Step 7: Move gradually toward enforcement

    Only consider quarantine or reject after legitimate sources are passing DMARC.

Report example

Likely legitimate source
Source IP: 192.0.2.10
Message count: 450
Header From: example.com
SPF result: pass
SPF alignment: pass
DKIM result: pass
DKIM alignment: pass
DMARC result: pass
Disposition: none

Interpretation: This source is likely legitimate if it matches your known sending provider.

Misconfigured third-party source
Source IP: 198.51.100.20
Message count: 75
Header From: example.com
SPF result: pass
SPF alignment: fail
DKIM result: none
DMARC result: fail
Disposition: none

Interpretation: This may be a third-party sender that needs custom DKIM or Return-Path alignment.

DMARC report examples are simplified. Real reports may include multiple records, compressed XML attachments and receiver-specific formatting.

Report workflow

  1. Publish DMARC with p=none and rua.
  2. Collect reports for normal business mail.
  3. Identify known senders.
  4. Fix SPF/DKIM alignment for legitimate sources.
  5. Remove or investigate unknown sources.
  6. Move to quarantine when results are clean.
  7. Move to reject only after confidence is high.
  8. Continue monitoring reports.

Forensic report caution

Forensic reports can provide more detail about failed messages, but they are less commonly supported and may include sensitive message data depending on receiver behavior.

For many domains, aggregate reports are enough to start. Use forensic reports only if you understand the privacy and operational implications.

Frequently asked questions

What is a DMARC aggregate report?

It is a summary report showing sources that sent mail for your domain, message counts and SPF, DKIM and DMARC results.

What is a forensic DMARC report?

It is a failure report that may include message-level details. It is less commonly supported and should be used carefully.

What does rua mean?

rua defines where aggregate DMARC reports should be sent.

What does ruf mean?

ruf defines where forensic or failure reports should be sent.

Do I need a DMARC report service?

Not required, but useful because raw aggregate reports are often XML files that are difficult to read manually.

Should I enforce DMARC before reading reports?

No. Reports help confirm legitimate senders before moving to quarantine or reject.

Why are reports not arriving?

Possible reasons include missing rua, invalid mailbox, low mail volume, receivers not sending reports or DNS record errors.

Use these free tools to verify your configuration after applying changes.

Browse all Email Authentication guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.