Aggregate vs forensic
Aggregate reports (RUA) summarize mail streams: source IP, disposition, DKIM/SPF pass-fail, and counts. They are the right place to start when tuning policy.
Forensic reports (RUF) carry samples and are used far less often today because of privacy constraints.
What’s in an aggregate report
DMARC aggregate reports are XML files sent daily to your RUA address. Each report contains:
- Report metadata (reporter, date range, policy applied)
- DNS records for your domain (SPF, DKIM, DMARC as seen by the receiver)
- One or more
<record>sections, each representing a sending source with:- Source IP and reverse DNS
- Authentication results (SPF, DKIM, alignment)
- Message count and disposition (pass, quarantine, reject, soft-fail)
Parsing tools
You don’t need to read raw XML by hand. Several tools make this easier:
- DMARC Guardian — Ingests RUA reports automatically and shows trends in a dashboard
- MIME::Inspector (Python) — Parse DMARC reports in code
A sensible review loop
- Confirm legitimate senders authenticate (SPF and/or DKIM aligned where required).
- Track gradual policy moves (
p=none→quarantine→reject) with a rollback plan. - Watch for sudden spikes in failure volume; those often indicate misconfiguration, not abuse.
- Set up alerts when legitimate senders start failing (DMARC Guardian does this automatically).
Common failure modes
record_too_large— Your DMARC record exceeds DNS size limits (shorten tags or remove unused ones)policy_undefined— No DMARC record exists at_dmarc.yourdomain.comspf=permerror— SPF record has syntax errors or exceeds 10 DNS lookups- Alignment failures — SPF passes but the authenticated domain doesn’t match the From header
DMARC Guardian ingests aggregate XML for you and surfaces trends in the dashboard so you are not parsing zip attachments by hand.