DMARC Reports

DMARC reporting is a feature of DMARC that allows domain owners to monitor and analyze the email authentication status of messages sent from their domains. DMARC reporting consists of two types of reports: aggregate reports and failure reports.

Aggregate Reports

Aggregate reports are periodic summaries of the DMARC results for all messages received by a domain that claims to implement DMARC. They contain information such as:

Number and percentage of messages that passed or failed DMARC validation
Alignment mode and policy of the sending domain
Identifiers and IP addresses of the senders

Aggregate reports are useful for domain owners to:

Evaluate the effectiveness and coverage of their DMARC policy
Identify potential sources of spoofing or misalignment

Forensic Reports

Forensic reports are triggered by individual messages that fail DMARC validation. They contain more detailed information about the source and content of the messages, such as:

Headers
Body
Attachments

These failure reports are useful for domain owners to:

Investigate and troubleshoot specific incidents of DMARC failures
Take corrective actions if needed

Reporting Frequency

The frequency of DMARC reporting depends on the settings of the sending and receiving domains. The sending domain can specify the interval of aggregate reports using the tag ri in their DMARC record. The default value is 86400 seconds, which means one report per day. The receiving domain can decide how often to send failure reports, depending on their resources and preferences. Some domains may send failure reports immediately after each message that fails DMARC validation, while others may send them in batches or at regular intervals.

Reporting Limitations

DMARC reporting also has some limitations that domain owners should be aware of. Not all domains that receive messages from a domain with DMARC policy will send reports back to the domain owner. Some domains may not support DMARC reporting at all, or may have technical issues or privacy concerns that prevent them from sending reports. Moreover, the reports may not always be sent as frequently as the domain owner would like, especially for failure reports, which depend on the discretion of the receiving domain. Therefore, domain owners should not rely solely on DMARC reporting to monitor their email authentication status, but also use other tools and methods to complement it.

DMARC reporting is a powerful tool for domain owners to improve their email security and reputation, and to protect their users and customers from phishing and spoofing attacks.

Enabling Reporting

To enable DMARC reporting, domain owners need to specify one or more URIs (usually email addresses) in their DMARC records, using the tags rua and ruf. The tag rua indicates where aggregate reports should be sent, and the tag ruf indicates where failure reports should be sent. Multiple URIs can be specified, separated by commas. For example, the DMARC record below instructs the receiving domain to send aggregate reports to [email protected] and failure reports to [email protected]:

txt

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; ...

Learn more about DMARC record syntax

Note: DMARC Manager will automatically produce this record for you. See the Domains section for more information.

What is DMARC? - Introduction to DMARC and its purpose
How Does DMARC Work? - Technical details about DMARC operation
Why is DMARC Important? - Benefits and significance of DMARC
Limitations of DMARC - Current constraints and challenges
DMARC Syntax - Detailed information about DMARC DNS record fields

DMARC Reports ​

Aggregate Reports ​

Forensic Reports ​

Reporting Frequency ​

Reporting Limitations ​

Enabling Reporting ​