Aggregate vs forensic

Aggregate reports (RUA) summarize mail streams: source IP, disposition, DKIM/SPF pass-fail, and counts. They are the right place to start when tuning policy.

Forensic reports (RUF) carry samples and are used far less often today because of privacy constraints.

What’s in an aggregate report

DMARC aggregate reports are XML files sent daily to your RUA address. Each report contains:

  • Report metadata (reporter, date range, policy applied)
  • DNS records for your domain (SPF, DKIM, DMARC as seen by the receiver)
  • One or more <record> sections, each representing a sending source with:
    • Source IP and reverse DNS
    • Authentication results (SPF, DKIM, alignment)
    • Message count and disposition (pass, quarantine, reject, soft-fail)

Parsing tools

You don’t need to read raw XML by hand. Several tools make this easier:

  • DMARC Guardian — Ingests RUA reports automatically and shows trends in a dashboard
  • MIME::Inspector (Python) — Parse DMARC reports in code

A sensible review loop

  1. Confirm legitimate senders authenticate (SPF and/or DKIM aligned where required).
  2. Track gradual policy moves (p=nonequarantinereject) with a rollback plan (see Moving from p=none to p=reject safely).
  3. Watch for sudden spikes in failure volume; those often indicate misconfiguration, not abuse.
  4. Set up alerts when legitimate senders start failing (DMARC Guardian does this automatically).

Common failure modes

DMARC Guardian ingests aggregate XML for you and surfaces trends in the dashboard so you are not parsing zip attachments by hand.