Aggregate Reports (rua)
Aggregate reports are the primary DMARC monitoring tool.
What They Contain
- Summary statistics (not individual messages)
- Source IP addresses that sent as your domain
- Volume of emails from each source
- SPF and DKIM results per source
- Policy applied (none, quarantine, reject)
How to Receive Them
Add rua tag to your DMARC record:
v=DMARC1; p=none; rua=mailto:[email protected]
Report Frequency
- Typically sent daily
- Some providers send more frequently
- Arrive as gzip-compressed XML files
Use Cases
- Identifying all sources sending as your domain
- Monitoring authentication pass rates
- Detecting spoofing attempts
- Tracking progress toward enforcement
Aggregate Reports Are Essential
Every DMARC implementation should include rua for aggregate reports. They are the foundation of DMARC monitoring and provide the data needed to safely progress toward enforcement.
Forensic Reports (ruf)
Forensic reports provide details about individual failed messages.
What They Contain
- Copy of the failed message (often redacted)
- Detailed authentication failure information
- Message headers
- Sometimes partial message body
How to Receive Them
Add ruf tag to your DMARC record:
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]
Availability Issues
Many providers do not send forensic reports:
- Gmail: Does not send forensic reports
- Yahoo: Limited forensic reporting
- Microsoft: Some forensic support
Privacy concerns limit forensic report adoption.
Use Cases
- Debugging specific authentication failures
- Investigating phishing attempts
- Understanding why legitimate email failed
Key Differences
Scope
- Aggregate: All email, summarized by source
- Forensic: Individual failed messages only
Detail Level
- Aggregate: Statistics and counts
- Forensic: Full message details
Privacy Impact
- Aggregate: No PII, widely available
- Forensic: Contains message content, limited availability
Volume
- Aggregate: One report per provider per day
- Forensic: One report per failed message (potentially many)
Practical Recommendations
Always Use Aggregate Reports
- Essential for all DMARC deployments
- Set up a dedicated mailbox or use a DMARC service
- Review regularly to track authentication health
Forensic Reports: Optional
- Useful for debugging but not essential
- May generate high volume of emails
- Limited provider support reduces value
- Consider privacy implications of receiving message content
Failure Reporting Options
The fo tag controls when forensic reports generate:
fo=0- Report if all mechanisms fail (default)fo=1- Report if any mechanism failsfo=d- Report if DKIM failsfo=s- Report if SPF fails
Managing Report Volume
Aggregate Reports
- Usually manageable volume
- Use a DMARC service to parse and visualize
- Automated processing recommended
Forensic Reports
- Can generate thousands of emails during attacks
- Use separate mailbox from aggregate reports
- Consider not enabling if not actively debugging