Short answer. DMARC RUA reports are daily XML aggregates that mailbox providers send to the address in the rua= tag. Each report shows which IPs sent mail as your domain, whether SPF and DKIM passed, whether they were aligned, and what disposition the receiver applied. With this data you find legitimate sources, catch forgery, and move safely to p=reject.
How to enable reports
Add a rua tag with an aggregate address to your DMARC record:
_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com; ruf=mailto:forensic@example.com; fo=1"
# Verify the record is published:
dig +short txt _dmarc.example.comStructure of the XML report
- report_metadata — who sent the report (org_name) and the period.
- policy_published — the policy (p, adkim, aspf) the receiver saw.
- record → row → source_ip — the sending server IP and message count.
- row → policy_evaluated — the final disposition: none, quarantine, reject.
- auth_results — SPF and DKIM in detail: domain and pass/fail.
What "alignment" means
The key DMARC nuance is alignment. SPF or DKIM may pass, but if the verified domain does not match the visible From domain, DMARC still fails. In the report, check whether header_from matches the domain that passed SPF or DKIM.
| Report field | What it shows | What to look for |
|---|---|---|
| source_ip | Sender IP | Whether you recognize the server |
| count | Number of messages | Volume from the source |
| spf result | pass / fail | Whether SPF passed |
| dkim result | pass / fail | Whether DKIM passed |
| disposition | none/quarantine/reject | What the receiver did |
High volume from unknown IPs where SPF and DKIM fail is either a forgotten legitimate service or forgery. Investigate before tightening the policy.
Reading a report in practice
- Collect all source_ip values and group by volume.
- Match familiar IPs to your services (CRM, sender, server).
- For each source, check SPF and DKIM pass/fail and alignment.
- Find unaccounted services and add them to SPF/DKIM.
- Once every legitimate source passes, raise the policy to quarantine, then reject.
XML is hard to read by eye: one day for a large domain is hundreds of rows. Use an aggregate parser to surface problem sources immediately.
How enterno.io helps
On Pro+ the /email-check tool supports DMARC aggregate (RUA) upload: you upload the XML reports you received, and enterno parses them and shows sources, SPF/DKIM results and alignment in a readable view instead of raw XML. This speeds the path to p=reject and helps you avoid blocking your own mail. enterno diagnoses and monitors — DNS records and the policy itself are edited by the domain owner. Free: 10 monitors, 48+ tools and a DNS check.
FAQ
How is RUA different from RUF?
RUA is aggregated daily statistical reports. RUF is forensic reports on individual failing messages (with header fragments); not all providers send them, and they do so cautiously for privacy reasons.
How often do reports arrive?
Usually once a day from each receiving provider. So you will see the full source picture after a few days of observation.
Can I set p=reject right away?
Not recommended. Start at p=none and analyze reports first, or you risk blocking legitimate mail that is not yet in SPF/DKIM.
Start analyzing: enable rua and upload reports into /email-check. See also spoofing prevention and DKIM setup.