Suped

Log inGet started
Knowledge base
/
Email authentication
/
DMARC

Does the 'ri' DMARC tag control aggregate report intervals in seconds?

Michael Ko profile picture
Michael Ko
Co-founder & CEO, Suped
Published 25 Aug 2025
Updated 9 Oct 2025
7 min read
Stylized clock representing DMARC report intervals
When you implement DMARC to protect your domain from email spoofing and phishing, one of the crucial components is receiving aggregate reports. These reports provide invaluable insights into your email ecosystem, showing who is sending email on behalf of your domain and whether those emails are passing or failing DMARC authentication. To control how frequently you receive these reports, DMARC offers a specific tag, known as the 'ri' tag.
The 'ri' tag is short for "reporting interval," and its purpose is to specify the desired interval, in seconds, between the generation of successive aggregate reports. Without a properly configured 'ri' tag, or if it's omitted entirely, you might find yourself either overwhelmed with too many reports or not receiving them frequently enough to detect issues promptly. It's a key element in managing the data flow from DMARC-compliant email receivers.
Understanding and correctly utilizing the 'ri' tag is essential for effective DMARC monitoring. It ensures that you get actionable data at a frequency that suits your operational needs, helping you maintain optimal email security without unnecessary administrative burden. Let's delve deeper into how this tag works and how to set it for maximum benefit.

Understanding the 'ri' DMARC tag

The DMARC 'ri' tag indeed controls the aggregate report intervals, and it does so by specifying the desired frequency in seconds. This means that email receivers, upon seeing the 'ri' tag in your DMARC record, will attempt to send RUA (aggregate) reports to the designated address at intervals corresponding to the value you've set. For example, a value of 3600 seconds would instruct receivers to send reports hourly, while 86400 seconds would mean daily reports.
It's important to note that while the 'ri' tag provides a requested interval, it's not a strict command. Email receivers (like Gmail and Yahoo) are not obligated to adhere to it precisely. They will do their best to honor the requested interval, but factors such as report size, system load, or their own internal policies might lead to slight variations in delivery frequency. However, for the most part, you can expect reports to arrive around your specified timeframe. As DMARC Advisor points out, 3600 seconds is a common setting for hourly reports.
If you omit the 'ri' tag from your DMARC record, the default reporting interval will typically be 86400 seconds, which corresponds to one report every 24 hours. While a daily report might seem sufficient, a more frequent interval can be beneficial, especially during initial DMARC deployment or when troubleshooting deliverability issues. To learn more about this, explore our article on what is the default reporting interval for DMARC aggregate reports.
Example DMARC record with 'ri' tag set to 1 hourDNS
v=DMARC1; p=none; rua=mailto:reports@yourdomain.com; ri=3600;

How 'ri' impacts DMARC reports

The 'ri' tag plays a significant role in how quickly you gain visibility into your email authentication status. A shorter interval, such as an hour, means you receive more granular and timely data. This is particularly valuable when you are first implementing DMARC or making changes to your email sending infrastructure.
For example, if you've recently onboarded a new email service provider (ESP) or made adjustments to your SPF or DKIM records, a shorter 'ri' allows you to quickly see if these changes are correctly reflected in your aggregate reports. This rapid feedback loop is crucial for detecting misconfigurations or unauthorized sending sources before they can significantly impact your email deliverability or security posture. You can delve into what information is contained in DMARC RUA and RUF reports for more details on the data within these reports.
On the other hand, setting 'ri' too aggressively low (e.g., every few minutes) could result in an overwhelming volume of small reports, making data analysis challenging. Conversely, an 'ri' that's too high might delay critical insights, leaving your domain vulnerable for longer periods. Finding the right balance is key to extracting maximum value from your DMARC reports.

Suped: Your intelligent DMARC monitoring solution

Managing DMARC reports and their intervals can be complex, but Suped simplifies the entire process. Our platform excels in making DMARC accessible and actionable.
  1. AI-Powered Recommendations: We don t just show you data, we tell you exactly what actions to take to fix issues and strengthen your DMARC policy.
  2. Real-Time Alerts: Get immediate notifications about potential threats or DMARC failures, ensuring you re always informed.
  3. Unified Platform: Combine DMARC, SPF, and DKIM monitoring with crucial blocklist and deliverability insights in one place.
  4. Generous Free Plan: Start protecting your domain with our feature-rich free plan, making DMARC accessible to everyone.

Best practices for setting the 'ri' tag

For most organizations, a daily reporting interval (86400 seconds) is a good baseline, especially after DMARC has been running smoothly for some time. This frequency provides a consistent overview without generating an excessive amount of data. However, for active monitoring or during policy enforcement transitions (from p=none to p=quarantine or p=reject), a more frequent interval like 3600 seconds (hourly) is often recommended.
When deciding on your 'ri' value, consider the volume of email your domain sends and the speed at which you need to respond to potential security incidents. Higher email volumes might generate very large hourly reports, which could be cumbersome to process manually. Conversely, if your domain is frequently targeted by spoofing attempts, quicker reporting allows for faster detection and mitigation.

Too frequent reporting (e.g., ri=600)

  1. Data volume: Can generate an overwhelming number of small reports, making analysis difficult and consuming storage.
  2. Processing overhead: More frequent parsing and aggregation are required, which can strain reporting tools.
  3. Actionability: Very short intervals might not show significant changes between reports, reducing their immediate actionability.

Optimal reporting (e.g., ri=3600 or ri=86400)

  1. Balanced data: Provides enough data to identify trends and issues without overloading your inbox or monitoring system.
  2. Efficient processing: Allows for efficient data collection and analysis, making it easier to extract insights.
  3. Timely insights: Regular intervals ensure you receive fresh data to make informed decisions and respond to threats.
Remember, the 'ri' tag only applies to aggregate reports (RUA). Forensic reports (RUF), if configured, are sent in real-time or near real-time based on individual email authentication failures, and their frequency is not controlled by 'ri'. It's also worth noting that the 'ri' tag operates independently of the 'pct' DMARC tag, which specifies the percentage of messages to which the DMARC policy is applied.

Optimizing your DMARC reporting interval

The 'ri' DMARC tag is a powerful tool for customizing the flow of aggregate reports, allowing you to fine-tune your DMARC monitoring strategy. By specifying the reporting interval in seconds, you can control how frequently you receive the valuable data needed to understand your email landscape and protect your domain.
While email receivers strive to honor your requested interval, it's crucial to select a frequency that balances timely insights with manageable data volume. Starting with daily reports and adjusting to hourly during critical phases or for specific monitoring needs is a common and effective approach. This ensures you maintain visibility without being overwhelmed.
Utilizing a robust DMARC monitoring platform like Suped can significantly enhance your ability to manage and interpret these reports, regardless of your chosen 'ri' value. Our platform aggregates, organizes, and analyzes the data, providing clear, actionable insights and automated alerts so you can focus on strengthening your email security. It makes DMARC accessible to everyone, from small businesses to large enterprises and MSPs.
Hand adjusting DMARC report interval dial

Frequently asked questions

Related pages

What is the default reporting interval for DMARC aggregate reports?
What information is contained in DMARC RUA and RUF reports?
Does the DMARC 'pct' tag affect aggregate reports?
Can DMARC reports be sent without RUA or RUF addresses?
What DMARC report format is used for aggregate reports?
List of DMARC tags and their meanings
DMARC record and policy examples
A simple guide to DMARC, SPF, and DKIM
Understanding and troubleshooting DMARC reports from Google and Yahoo
How to safely transition your DMARC policy to quarantine or reject
DMARC monitoring

Start monitoring your DMARC reports today

Suped DMARC platform dashboard

What you'll get with Suped

Real-time DMARC report monitoring and analysis
Automated alerts for authentication failures
Clear recommendations to improve email deliverability
Protection against phishing and domain spoofing
Get started - free
Product
DMARC monitoring
SPF flattening
Blocklist monitoring
MSP
Pricing
Tools
DMARC record generator
Blocklist checker
Email tester
Resources
API docs
Customers
Blog
Guides
Knowledge base
Company
About
Trust and security

Suped

Privacy policy
Terms of service
© 2025 Suped Pty Ltd
LinkedInX