Aggregate DMARC reports explained

In order to receive DMARC aggregate reports an organization needs to create a DMARC record and publish it into the DNS. After publishing a DMARC record an organization be able to receive DMARC aggregate reports from all ISP’s that are supporting DMARC. These aggregate reports contain crucial information to secure an organization’s domains.

This article explains what DMARC aggregate reports are, how to request these reports and what is included in these reports.

What is a DMARC aggregate report?

DMARC (Domain-based Message Authentication, Reporting and Conformance) aggregate reports contain information about the authentication status of messages sent on behalf of a domain. With the reports an organization can see which emails are authenticating against DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework). It is also visible which emails are not authenticating.

An aggregate report doesn’t contain any information about the emails themselves. The DMARC aggregate reports contain information about the source that sent the message, the domain that was used to sent these messages, the sending IP, the amount of messages sent on a specific date, the DKIM/SPF sending domain, the DKIM/SPF authentication result and the DMARC result. All this information is very useful for an organization to determine who’s sending email on its behalf, if a sender is allowed to send email on its behalf and if the messages are authenticated correctly. On top of that an organization is able to see who’s sending malicious emails on its behalf. Eventually an organization will be able to make sure that the malicious emails won’t reach the inbox of the receivers this can be done by enforcing a DMARC reject policy.

Aggregate Reports (RUA):
– Sent on a daily basis
– Provides an overview of email traffic
– XML file-format

How to receive DMARC Aggregate reports?

First step is to create a DMARC record. A DMARC record invites DMARC reporting organizations to send DMARC aggregate reports back to the sender of an email. The record contains a RUA tag (tag: rua=mailto:[email protected]). This email address will be the endpoint for the DMARC reporting organization to send the DMARC aggregate report to.

Need help creating a personalized DMARC record?
DMARC Analyzer provides an easy to use setup guide to guide organizations through the process of creating a personalized own DMARC record. More information about How to create a DMARC record?

Once the RUA tag is set an organization starts receiving DMARC aggregate reports. Participating DMARC reporting organisations typically send these reports on a daily basis.

What is included in the DMARC aggregate report?

1. ISP information

  • Report ID number
  • Reporting Organisation Name
  • Reporting Organisation sending email address and additional contact information
  • Beginning and ending data range in seconds

dmarc aggregate report rua

2. Description of a DMARC record

  • Header domain/from domain
  • Alignment settings for both DKIM and SPF
  • Domain policy (reject)
  • Subdomain policy (reject)
  • Percentage of messages to which the DMARC policy is to be applied
    • dmarc aggregate report rua

      3. Summary of authentication results

      • IP identified in the email
      • Total of IP addresses identified
      • Disposition of the message, to show if the policy was applied
      • DKIM authentication result, the domain and result
      • SPF authentication result, the domain and result

      dmarc aggregate report rua

      DMARC Analyzer collects these reports and will merge them into user friendly overviews. DMARC Analyzer is easy to use and the overviews within our tool will give an organization information on how to make sure its email channel is fully authenticated and secured against malicious users. Start your DMARC Analyzer trial today.