DMARC aggregate reports, often referred to as RUA reports, are delivered in a standardized format to ensure they can be processed by different systems. The format used is XML (Extensible Markup Language).
These reports are sent as email attachments, typically compressed in a .zip or .gz file, to the address specified in the rua (Reporting URI for Aggregate) tag within your domain's DMARC record. The use of XML is intentional; it's a machine-readable format designed for structured data exchange. This allows for automated processing, which is essential given the potential volume of reports a domain can receive.
While XML is great for computers, it's not very friendly for human eyes. A raw aggregate report looks like a complex block of code, making it difficult to extract meaningful insights without a specialized tool to parse and visualize the data.
What information is in an aggregate report?
Each aggregate report provides a summary of email activity for your domain from a specific reporting organization, like Google or Microsoft. It doesn't contain the content of the emails themselves, but rather metadata about the authentication results. The information contained within the XML file is specified by the IETF DMARC standard. Key data points include:
- Reporting organization details: Information about who generated the report (e.g., google.com).
- Source IP address: The IP address of the server that sent the email.
- Message count: The number of messages from that IP that were evaluated.
- DMARC policy details: The DMARC policy that was applied (e.g., none, quarantine, reject).
- SPF and DKIM results: Details on whether SPF and DKIM authentication passed or failed, and whether the identifiers were aligned with the 'From' domain.
This aggregated data is incredibly powerful for understanding who is sending email on behalf of your domain, identifying misconfigured legitimate sources, and detecting unauthorized or fraudulent use of your domain.
Aggregate vs forensic reports
It's worth noting that DMARC allows for two types of reports: aggregate (RUA) and forensic (RUF). As we've discussed, aggregate reports are XML summaries. Forensic reports, on the other hand, are individual copies of specific emails that failed DMARC authentication. They are sent in real-time and contain message headers and sometimes the full message body.
Due to privacy concerns related to potentially exposing personally identifiable information (PII), most major mailbox providers have stopped sending forensic reports. Therefore, aggregate XML reports are the primary and most reliable source of data for DMARC monitoring.
What DMARC tag specifies forensic reports?
Does the DMARC 'pct' tag affect aggregate reports?
Does the 'ri' DMARC tag control aggregate report intervals in seconds?
What is the 'fo' tag value for DMARC aggregate report formatting?
What DMARC tag specifies the reporting format for failure reports?
What is the default reporting interval for DMARC aggregate reports?
