When you set up DMARC, you're taking a crucial step to protect your domain from being used in phishing and spoofing attacks. A key part of DMARC is the reporting mechanism, which provides feedback on how your emails are being authenticated. This feedback comes in the form of aggregate (RUA) reports. These reports are XML files that summarise authentication data for emails claiming to be from your domain.
A common question I get is about the frequency of these reports. The short answer is that the default interval for DMARC aggregate reports to be sent is 24 hours, or 86,400 seconds. This means that, by default, you will receive a summary report from each participating mail receiver once per day.
The 'ri' tag: controlling report frequency
The reporting interval is specified in your DMARC DNS record using the ri (reporting interval) tag. This tag's value is set in seconds. If you don't explicitly include an ri tag in your DMARC record, it automatically defaults to 86400.
Here is an example of a DMARC record using the default interval:
- v=DMARC1; p=none; rua=mailto:dmarc@example.com; ri=86400;
Since 86400 is the default, a record without the ri tag has the exact same effect:
- v=DMARC1; p=none; rua=mailto:dmarc@example.com;
Why is 24 hours the default?
A 24 hour reporting cycle is the standard for a few important reasons. It strikes a balance between providing timely feedback and not overwhelming the systems that process these reports. Daily reports are frequent enough for you to monitor your email channels and detect authentication issues without creating an unmanageable flood of data. Furthermore, as the IETF DMARC draft notes, a common time period is beneficial.
Having a standardized interval helps in correlating data from different reporters like Google, Microsoft, and Yahoo, giving you a more coherent picture of your domain's email activity across the internet.
Can you change the reporting interval?
Yes, you can request a different reporting interval by changing the value of the ri tag. For example, if you wanted to receive reports every hour, you would set the interval to 3600 seconds:
v=DMARC1; p=none; rua=mailto:dmarc@example.com; ri=3600;
However, it's important to remember that the ri tag is a request, not a command. While you can ask for reports every hour, not all mail receivers will honor this request. Many large providers will stick to their own reporting schedule, which is typically once every 24 hours, regardless of your ri value. In practice, I've found it's best to stick with the default unless you have a very specific, short-term need for more frequent data, such as during a new email service migration.
Conclusion
To sum up, the default reporting interval for DMARC aggregate reports is 24 hours (86,400 seconds). This interval is controlled by the optional ri tag in your DMARC record. While you can request a shorter interval, report generators are not required to honor it, and the 24 hour default is standard for a good reason. For the vast majority of domain owners, leaving the ri tag at its default, or omitting it entirely, is the most practical approach.
What DMARC tag specifies forensic reports?
Does the DMARC 'pct' tag affect aggregate reports?
Does the 'ri' DMARC tag control aggregate report intervals in seconds?
What DMARC 'fo' tag value requests failure reports for all failures?
What is the 'fo' tag value for DMARC aggregate report formatting?
What DMARC tag specifies the reporting format for failure reports?
