Understanding DMARC Reports: RUA vs RUF Explained

DMARC Reports RUA RUF Explained

DMARC reports are one of the most valuable features of DMARC. They show you exactly who is sending email as your domain and whether authentication is passing. This guide explains how to read and use DMARC reports.

Types of DMARC Reports

Aggregate Reports (RUA)

  • Daily XML summaries from receiving servers
  • Show authentication results for all email from your domain
  • Include source IP, volume, and pass/fail status
  • Essential for monitoring and enforcement decisions

Forensic Reports (RUF)

  • Individual failure notifications
  • Contain message details (headers, sometimes body)
  • Sent in real-time when failures occur
  • Many providers don't send these due to privacy

Setting Up Report Delivery

In your DMARC record:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensics@yourdomain.com

  • rua= – Address for aggregate reports
  • ruf= – Address for forensic reports (optional)

Understanding Aggregate Reports

Aggregate reports are XML files containing:

Report Metadata

  • Reporting organization (who sent the report)
  • Date range covered
  • Your DMARC policy

Policy Published

  • Your current DMARC settings
  • Policy level (none/quarantine/reject)
  • Alignment modes

Record Data (per source IP)

  • Source IP address
  • Count of messages
  • DMARC disposition (none/quarantine/reject)
  • SPF result and alignment
  • DKIM result and alignment

Reading Report Data

What to Look For

Legitimate Sources Passing: Your known services should show:

  • DMARC: pass
  • SPF: pass + aligned
  • DKIM: pass + aligned

Legitimate Sources Failing: Known services failing need fixes:

  • Missing from SPF record
  • DKIM not configured
  • Alignment issues

Unknown Sources:

  • Could be forgotten services
  • Could be unauthorized senders (spoofing attempts)
  • Investigate before enforcement

Processing Reports

Raw XML is hard to read. Options:

Free Services

  • Postmark DMARC – Free weekly digests
  • dmarcian – Free tier available
  • DMARC Analyzer – Free for low volumes

Paid Services

  • EasyDMARC
  • Valimail
  • Agari
  • Red Sift OnDMARC

These services parse reports into readable dashboards showing trends, issues, and recommendations.

Using Reports for Enforcement

Before Enforcement (p=none)

  1. Collect reports for 2-4 weeks minimum
  2. Identify all legitimate sending sources
  3. Fix any authentication failures
  4. Confirm all sources pass consistently

During Enforcement

  1. Monitor for new failures
  2. Watch for legitimate services breaking
  3. Identify spoofing attempts (expect failures from unknown IPs)

After Full Enforcement (p=reject)

  1. Continue monitoring for new services
  2. Review monthly for changes
  3. Update when adding new email tools

Common Report Patterns

Pattern: High Volume from Unknown IP

Could be: Forgotten marketing service, forwarding, or spoofing

Action: Identify the IP owner, add to SPF if legitimate, or leave to fail if not

Pattern: SPF Pass, DKIM Fail, DMARC Pass

DKIM isn't critical if SPF passes and aligns. But configure DKIM for redundancy.

Pattern: SPF Fail, DKIM Pass, DMARC Pass

Common with forwarding. DKIM saves these. Still, fix SPF issues.

Pattern: Everything Fails

Either a misconfigured service or spoofing attempt. Investigate the source.

For implementation guidance, see our DMARC setup guide.

Related Resources

0 comments

Leave a comment

Please note, comments need to be approved before they are published.