How to Read DMARC Aggregate and Forensic Reports
Learn what DMARC aggregate and forensic reports are, what data they contain, and how to use them before moving to quarantine or reject.
Introduction
DMARC reports help domain owners understand who is sending email using their domain and whether those messages pass SPF, DKIM and DMARC alignment. Reports are especially useful before moving from p=none to stricter policies such as quarantine or reject.
There are two main report types: aggregate reports and forensic reports. Aggregate reports provide summary data, usually in XML format. Forensic reports, also called failure reports, may include message-level failure details, but they are less commonly supported and can raise privacy concerns.
Quick answer
DMARC aggregate reports summarize which IPs and providers sent mail for your domain and whether SPF, DKIM and DMARC passed. Forensic reports provide more detailed failure samples, but they are less commonly sent. Use DMARC reports to identify legitimate senders, unknown sources and authentication problems before enforcing quarantine or reject.
DMARC reports
DMARC reports are feedback reports sent by participating receiving mail servers. They help domain owners see how mail claiming to be from their domain is being authenticated.
- Which sources sent mail
- How many messages were seen
- Whether SPF passed
- Whether DKIM passed
- Whether DMARC alignment passed
- What policy was applied
- Whether unknown sources are sending mail
DMARC reports are usually enabled with the rua and ruf tags in the DMARC record.
Aggregate vs forensic reports
Aggregate reports
- Sent using the rua tag
- Summary-level data, usually XML files
- Show source IPs, counts and authentication results
- Useful for monitoring and enforcement planning
- Commonly supported
rua=mailto:dmarc@example.com
Forensic reports
- Sent using the ruf tag
- Message-level failure samples
- May include more sensitive details
- Less commonly supported
- Useful for investigating specific failures
ruf=mailto:dmarc-forensic@example.com
Most domains should start with aggregate reports. Forensic reports are optional and may not be sent by many receivers.
Aggregate report contents
Aggregate reports usually contain summary data for a reporting period.
- Reporting organization
- Report date range
- Source IP address
- Message count
- DMARC disposition
- SPF result
- DKIM result
- SPF alignment result
- DKIM alignment result
- Header From domain
- Policy applied
Aggregate reports do not usually show the full email content. They are designed for monitoring patterns, not reading individual messages.
How to read reports
-
1. Identify the source IP
Check which IP address sent mail claiming to be from your domain.
-
2. Check message count
Look at how many messages came from that source.
-
3. Identify the provider
Match the IP or sending domain to Google, Microsoft, hosting server, CRM, marketing platform or unknown sender.
-
4. Review SPF and DKIM results
Check whether SPF and DKIM passed or failed.
-
5. Check DMARC alignment
Confirm whether SPF or DKIM aligned with the visible From domain.
-
6. Review disposition
See whether the receiver applied none, quarantine or reject.
-
7. Decide action
Classify the source as legitimate, misconfigured, unknown or suspicious.
Why this matters
DMARC reports matter because they show what is actually happening with your domain’s email. Without reports, you may not know which services send legitimate mail, which sources fail authentication, or whether unknown systems are spoofing your domain.
Reports are especially important before enforcement. Moving to quarantine or reject without reading reports can block legitimate mail.
How to check reporting
Use DMARC Checker to inspect your DMARC record and confirm whether reporting addresses are configured.
When checking reporting, review
These five checks help confirm DMARC reporting is set up correctly.
rua tag
Confirm aggregate reports are enabled.
Reporting mailbox
Make sure the report address exists and can receive XML attachments.
ruf tag
Check whether forensic reports are configured intentionally.
Policy
Check whether the domain is monitoring, quarantining or rejecting.
SPF/DKIM readiness
Reports are most useful when SPF and DKIM are also configured.
Check DMARC reporting
Use DMARC Checker to verify your policy, rua, ruf and reporting configuration.
Common problems
No rua address configured
MediumThe domain has DMARC but does not request aggregate reports.
Next step: Add a rua address or DMARC report service to collect reports.
Reports sent to an unmonitored mailbox
MediumReports may arrive, but no one reviews them.
Next step: Use a monitored mailbox or reporting platform.
Raw XML is difficult to read
LowAggregate reports are often compressed XML files that are hard to interpret manually.
Next step: Use a DMARC report parser or service.
Unknown sending sources appear
HighReports show IPs or providers you do not recognize.
Next step: Investigate whether they are legitimate services, old systems or spoofing attempts.
Legitimate provider fails alignment
MediumA known sender passes SPF or DKIM but fails DMARC alignment.
Next step: Configure custom DKIM or Return-Path alignment for that provider.
Reports are not arriving
MediumNot all receivers send reports, or the report address may be invalid.
Next step: Confirm rua syntax, mailbox availability and DNS record validity.
Forensic reports expose sensitive data
MediumFailure reports may include message-level information depending on receiver behavior.
Next step: Use ruf carefully and understand privacy implications.
How to use reports
-
Step 1: Start with p=none
Use monitoring mode while collecting data about legitimate and unknown senders.
-
Step 2: Add an aggregate report address
Configure rua with a mailbox or DMARC reporting service.
-
Step 3: Collect reports for a period of time
Wait until reports show normal sending patterns from major receivers.
-
Step 4: Identify legitimate senders
Match source IPs and providers to your real mailbox, CRM, marketing, transactional and hosting services.
-
Step 5: Fix authentication gaps
Enable DKIM, adjust SPF and configure alignment for legitimate providers.
-
Step 6: Investigate unknown sources
Classify unknown sources as old systems, vendors, forwarding behavior or suspicious spoofing.
-
Step 7: Move gradually toward enforcement
Only consider quarantine or reject after legitimate sources are passing DMARC.
Report example
Source IP: 192.0.2.10
Message count: 450
Header From: example.com
SPF result: pass
SPF alignment: pass
DKIM result: pass
DKIM alignment: pass
DMARC result: pass
Disposition: none
Interpretation: This source is likely legitimate if it matches your known sending provider.
Source IP: 198.51.100.20
Message count: 75
Header From: example.com
SPF result: pass
SPF alignment: fail
DKIM result: none
DMARC result: fail
Disposition: none
Interpretation: This may be a third-party sender that needs custom DKIM or Return-Path alignment.
DMARC report examples are simplified. Real reports may include multiple records, compressed XML attachments and receiver-specific formatting.
Report workflow
- Publish DMARC with p=none and rua.
- Collect reports for normal business mail.
- Identify known senders.
- Fix SPF/DKIM alignment for legitimate sources.
- Remove or investigate unknown sources.
- Move to quarantine when results are clean.
- Move to reject only after confidence is high.
- Continue monitoring reports.
Forensic report caution
Forensic reports can provide more detail about failed messages, but they are less commonly supported and may include sensitive message data depending on receiver behavior.
For many domains, aggregate reports are enough to start. Use forensic reports only if you understand the privacy and operational implications.
Frequently asked questions
What is a DMARC aggregate report?
It is a summary report showing sources that sent mail for your domain, message counts and SPF, DKIM and DMARC results.
What is a forensic DMARC report?
It is a failure report that may include message-level details. It is less commonly supported and should be used carefully.
What does rua mean?
rua defines where aggregate DMARC reports should be sent.
What does ruf mean?
ruf defines where forensic or failure reports should be sent.
Do I need a DMARC report service?
Not required, but useful because raw aggregate reports are often XML files that are difficult to read manually.
Should I enforce DMARC before reading reports?
No. Reports help confirm legitimate senders before moving to quarantine or reject.
Why are reports not arriving?
Possible reasons include missing rua, invalid mailbox, low mail volume, receivers not sending reports or DNS record errors.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Email Authentication guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!