Suped

Log inGet started
Knowledge base
/
Email authentication
/
DMARC

What DMARC report format is used for aggregate reports?

Michael Ko profile picture
Michael Ko
Co-founder & CEO, Suped
Published 1 Apr 2025
Updated 3 Oct 2025
6 min read
Abstract illustration of data streams converging, representing DMARC reports
When you implement DMARC, a crucial part of the process involves receiving DMARC reports. These reports are essential for understanding your email ecosystem, identifying potential security threats, and optimizing your email deliverability. There are two primary types of DMARC reports: aggregate (RUA) and forensic (RUF). For aggregate reports, a specific format is universally used, which is vital for any DMARC monitoring solution to interpret effectively.
This article will delve into the standard format for DMARC aggregate reports, explain its components, and discuss why this format is chosen for such critical data. Understanding the structure of these reports is the first step toward leveraging them for robust email security.

The basics of DMARC aggregate reports

DMARC aggregate reports, specified by the rua tag in your DMARC record, are designed to provide a comprehensive overview of your email traffic. These reports are typically sent daily by participating mailbox providers, offering a statistical summary rather than individual message details. They contain crucial information about messages purporting to be from your domain, detailing whether they passed or failed SPF and DKIM authentication, and if DMARC alignment was achieved.
The standardized format for these reports is XML (Extensible Markup Language). This choice is not arbitrary; XML provides a structured, machine-readable way to convey complex data, making it ideal for automated processing by DMARC report analysis tools. While it may look intimidating to the untrained eye, this format ensures consistency across different reporting organizations.
Every DMARC aggregate report is an XML file. This file encapsulates all the relevant data for a specific reporting period, usually 24 hours. The structure includes metadata about the report itself, the DMARC policy published by the reporting domain, and individual records for groups of messages. These records detail how emails from various sending sources aligned with your authentication standards.

Decoding the XML format

An XML aggregate report is essentially a hierarchical document. At its root, it has a <feedback> tag, under which several sub-elements are nested. These elements categorize the information, making it parsable by software. Key elements include:
  1. Report metadata: Provides details about the report itself, such as the reporting organization, the email address of the report generator, and the reporting period.
  2. Policy published: Outlines the DMARC policy for the domain being monitored, including the policy (p), subdomain policy (sp), and percentage of messages (pct) that the policy applies to.
  3. Records: These are the core of the report, containing aggregated data for various sending sources. Each record includes the source IP address, the number of emails sent from that IP, and the authentication results (SPF and DKIM) and DMARC alignment status for those messages.
Example DMARC aggregate report XML snippetxml
<feedback>
  <report_metadata>
    <org_name>Example Mailbox Provider</org_name>
    <email>dmarc-reports@example.com</email>
    <report_id>123456789</report_id>
    <date_range>
      <begin>1678886400</begin>
      <end>1678972799</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>yourdomain.com</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>none</p>
    <sp>none</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>192.0.2.1</source_ip>
      <count>150</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>yourdomain.com</header_from>
    </identifiers>
    <auth_results>
      <spf>
        <domain>yourdomain.com</domain>
        <result>pass</result>
      </spf>
      <dkim>
        <domain>yourdomain.com</domain>
        <result>pass</result>
        <selector>s1</selector>
      </dkim>
    </auth_results>
  </record>
</feedback>
While the XML format is standardized, reading and interpreting these raw files manually is highly inefficient and prone to errors. This is where DMARC report analysis tools come into play. These tools parse the XML, aggregate the data, and present it in an easily understandable format, often with dashboards and visual representations.
For example, Suped provides comprehensive DMARC monitoring that transforms these complex XML files into actionable insights. This simplifies the process of understanding your email traffic and quickly identifies issues that require attention.

Key information found in aggregate reports

Aggregate reports contain a wealth of information that is invaluable for maintaining a secure and reliable email program. Here's a breakdown of the key data points you'll find:

Data point

Description

Why it's important

Source IP address
The IP address of the server that sent the email.
Identifies legitimate and potentially unauthorized senders.
Email volume
The number of emails received from each source IP.
Helps in capacity planning and detecting sudden spikes in traffic.
SPF authentication result
Whether the SPF check passed or failed for the message.
Crucial for identifying SPF misconfigurations.
DKIM authentication result
Whether the DKIM signature verification passed or failed.
Helps detect DKIM signing issues or unauthorized modifications.
DMARC alignment
Indicates if the SPF and DKIM domains align with the 'From' domain.
Confirms proper domain authentication and protection against spoofing.
Policy disposition
The action taken by the receiving server based on your DMARC policy (e.g., none, quarantine, reject).
Shows how effectively your policy is being enforced and if it's protecting your domain.
An illustration showing a hand with a magnifying glass examining email data.
Understanding these data points is critical. For instance, consistently seeing a high volume of emails from an unknown IP address failing DMARC alignment is a strong indicator of a spoofing attempt against your domain. Conversely, legitimate sending services (like workspace.google.com logoGoogle Workspace or microsoft.com logoMicrosoft 365) should consistently show passing authentication and alignment.
Monitoring these reports allows you to fine-tune your DMARC policy from a relaxed p=none to p=quarantine or p=reject, increasing your domain's protection against email fraud and enhancing overall deliverability.

Why aggregate reports are crucial for deliverability

DMARC aggregate reports serve as a foundational element of a strong email security posture. Without them, you're essentially flying blind, unaware of who is sending email purporting to be from your domain, whether legitimate emails are failing authentication, or if your DMARC policy is actually being enforced.

The true value of DMARC aggregate reports

Aggregate reports aren't just technical data, they are the cornerstone of proactive email domain management. They empower you to:
  1. Identify spoofing: Pinpoint malicious actors attempting to impersonate your domain.
  2. Correct misconfigurations: Discover and fix issues with your SPF or DKIM records that might be causing legitimate emails to fail authentication.
  3. Improve deliverability: Ensure your emails reach the inbox by confirming proper authentication and alignment.
  4. Optimize policy enforcement: Gradually move to stronger DMARC policies with confidence.

Manual XML analysis

  1. Time-consuming: Requires manual parsing and interpretation of large XML files.
  2. Error-prone: Easy to miss critical details or misinterpret data.
  3. Lack of visualization: Difficulty in identifying trends or anomalies at a glance.

Using a DMARC platform like Suped

  1. Automated analysis: Automatically processes XML into easy-to-read dashboards.
  2. Actionable recommendations: AI-powered suggestions for fixing issues and strengthening policies.
  3. Real-time alerts: Instant notifications for critical issues or policy deviations.
Leveraging a tool like Suped is crucial for effective DMARC management. It not only simplifies the analysis of the complex XML aggregate reports but also provides the intelligence needed to make informed decisions, ensuring your domain is protected and your emails reach their intended recipients.

Mastering DMARC reporting for email security

The XML format is the standard for DMARC aggregate reports, providing a structured and comprehensive overview of your domain's email traffic and authentication results. While the raw XML files can be daunting, their standardized nature makes them perfectly suited for automated processing by DMARC monitoring platforms.
By transforming this complex data into clear, actionable insights, tools like Suped empower organizations to effectively manage their DMARC policies, enhance email deliverability, and protect against phishing and spoofing attacks. Understanding this format is the key to unlocking the full potential of DMARC for your email security strategy.

Frequently asked questions

Related pages

What information is contained in DMARC RUA and RUF reports?
Which ISPs deliver DMARC reports and what configuration is needed?
What is the default reporting interval for DMARC aggregate reports?
What tools can analyze DMARC reports into an easy-to-read format?
Understanding and troubleshooting DMARC reports from Google and Yahoo
Does the 'ri' DMARC tag control aggregate report intervals in seconds?
List of DMARC tags and their meanings
Where can I find example DMARC RUA reports?
DMARC monitoring

Start monitoring your DMARC reports today

Suped DMARC platform dashboard

What you'll get with Suped

Real-time DMARC report monitoring and analysis
Automated alerts for authentication failures
Clear recommendations to improve email deliverability
Protection against phishing and domain spoofing
Get started - free
Product
DMARC monitoring
SPF flattening
Blocklist monitoring
MSP
Pricing
Tools
DMARC record generator
Blocklist checker
Email tester
Resources
API docs
Customers
Blog
Guides
Knowledge base
Company
About
Trust and security

Suped

Privacy policy
Terms of service
© 2025 Suped Pty Ltd
LinkedInX