What is DMARC Aggregate Reporting (RUA)?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You set up DMARC, pointed rua= at an email address, and now XML files are arriving in your inbox. Congratulations, you're getting DMARC Aggregate Reports. Now what?

An aggregate report (RUA stands for Reporting URI for Aggregate) is a daily summary that mailbox providers like Gmail and Outlook send back to you. It tells you how many emails were sent using your domain, which IP addresses sent them, and whether those messages passed or failed SPF and DKIM checks. It also tells you whether those results were aligned with your domain, which is the part DMARC actually cares about.

The word "aggregate" matters here. These reports don't show individual messages or recipient details. They show totals across a reporting period, usually 24 hours. Think of it as a daily scorecard, not a message log.

What the numbers actually mean:

  • Pass count: How many messages came from your domain and passed authentication. These are your legitimate sends working correctly.
  • Fail count: How many failed. This could be a misconfigured sending tool, a third-party you forgot to authorize in your SPF record, or someone actively phishing with your domain name.
  • Source IP: Which server sent those messages. If you see an IP you don't recognize sending under your domain, that's worth investigating.
  • Disposition: What the receiving server actually did (none, quarantine, reject) based on your DMARC policy at the time.

So the reports arrive as raw XML, which is not fun to read by hand. Most people use a DMARC reporting tool to parse and visualize them. Mailtrap has a free tier, and tools like Dmarcian or Postmark's DMARC offerings are worth looking at too. The point is getting the data into a human-readable format so you can spot patterns quickly.

The real value of RUA reports shows up in two situations. First, when you're working toward a DMARC enforcement policy (moving from p=none to p=quarantine or p=reject), the reports show you whether all your legitimate sending sources are properly authenticated before you flip that switch. Second, if someone is spoofing your domain for phishing, RUA reports will surface that. You'll see IPs you've never used sending under your name, and you can act on it.

How often should you review them? Weekly is usually enough if you're in a monitoring phase. Daily if you're actively tightening your policy or investigating a problem.

Want to check whether your DMARC record is set up to receive these reports correctly? Try our free DMARC Parser to see exactly what your current record is saying.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Paste your DMARC report summary or describe what you're seeing

I'm receiving DMARC aggregate reports (RUA) and I want to understand what I'm looking at. Based on my situation, help me figure out what the pass/fail counts mean, whether any IPs look suspicious, and whether my setup is ready to move toward a stricter DMARC policy. Here's my context:

Edit the yellow boxes, then send to the AI of your choice.