Domainee
Sign inGet started

DMARC reports (RUA / RUF)

DMARC's `rua=` collects aggregate XML reports; `ruf=` collects per-message forensic reports. You need rua to see what's going on; ruf is mostly dead.

The DMARC reporting tags rua and ruf are the data feeds that make DMARC actionable. Without them, DMARC publishes a policy and you have no idea what's hitting it.

rua — aggregate reports

rua (Reporting URI for Aggregate reports) tells receivers where to send daily summaries of who sent mail claiming to be from your domain.

v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com

Each report is an XML file zipped or gzipped, sent once per day per receiver. It contains, per source IP:

  • Mail volume from that IP claiming to be your domain.
  • SPF results.
  • DKIM results.
  • DMARC alignment results.
  • The disposition that receiver took (none, quarantine, reject).

Major mail providers (Google, Microsoft, Yahoo) send these. Smaller providers often don't.

ruf — forensic reports

ruf (Reporting URI for Forensic reports) is supposed to deliver per-message reports of individual messages that failed DMARC, including headers and partial content.

v=DMARC1; p=reject; rua=mailto:agg@example.com; ruf=mailto:forensic@example.com

In practice, almost nobody sends ruf reports anymore. Google never did (GDPR concerns). The format is also barely standardized. You can publish a ruf= line, but expect almost no data.

How to actually consume rua

Two options:

  1. Eat the XML. Set up dmarc-reports@yourdomain.com, write a parser, build dashboards. Doable but high-effort.
  2. Pay a SaaS to parse it. dmarcian, Valimail, EasyDMARC, Postmark, Cloudflare's DMARC Management. Costs $0–$300/mo for typical SaaS volume. Gets you a dashboard, alerts on new senders, drift detection.

Path 2 is what 99% of teams pick.

What to look for in the reports

  • New senders (IPs sending as your domain that you didn't authorize). These are spoofers or forgotten internal services.
  • Aligned-but-failing volume (mail from your real senders that is failing DMARC because of SPF/DKIM config drift).
  • Per-sender failure trends after a config change.

The day you flip p= from none to quarantine, watch the reports closely. If aligned-but-failing volume jumps, roll back fast.

Want this handled for you? Start free with Domainee — 50 custom domains + 100 GB bandwidth, no card.