Introducting to DMARC Reporting

DMARC provides a reporting capability, in the form of DMARC reports, which lets receiving email servers send data back to the sending domain about messages claiming to come from it, such as the volume of both legitimate and fraudulent mail. This helps domain owners respond to deliverability issues and spoofing incidents more quickly. Under the updated specification, reporting is now defined in two dedicated documents: RFC 9990 for aggregate reports and RFC 9991 for failure reports.

DMARC reports are of two primary types:

• DMARC aggregate (RUA) reports
• DMARC failure (RUF) reports, historically called forensic reports

How Do DMARC Aggregate Reports Help You?

DMARC aggregate (RUA) reports help you track the authentication status of all mail sent using your domain. They are sent in XML format, typically once per day, and provide several useful data points. Sent to the address you designate in the rua tag, they offer a general analysis of your domain's mail, useful when you want to see how your email is performing in terms of authentication and which IP addresses are failing DMARC. From these reports, you can see:

• The sending sources using your domain
• The IP addresses behind those sources
• The geolocations of those sources
• The reporting organization's name, contact information, and address
• The DMARC policy the receiver retrieved for your domain
• The SPF and DKIM results, including alignment

Aggregate reports help you confirm the policy receivers are applying, avoid inbox disruptions that could affect your recipients, and pull all your email activity together with a clear picture of what is passing and failing authentication. They help you find where authentication is breaking and where to improve. The data can also reveal who has been spoofing your domain: you can see which sources and IP addresses are repeatedly attempting to impersonate you, and act on them.

How Do DMARC Failure Reports Help You?

A DMARC failure report (the legacy term is forensic report) is a detailed, per-message record generated when a message using your domain fails DMARC authentication. It can include message headers and other details about the individual failing message, giving you an in-depth look at what led to a failure, whether that is a misconfigured legitimate sender or an attacker spoofing your domain.

Compared to aggregate reports, failure reports are not widely sent by mailbox providers. Most large receivers limit or disable them, in part because the detailed message content they can contain raises privacy concerns, which RFC 9991 specifically addresses through guidance on redaction and secure handling. Where they are available, however, they can be a useful way to get granular, message-level insight into how and why specific messages failed DMARC, which helps with troubleshooting individual senders. For an overall view of volumes and trends, aggregate reports remain the more reliable source.