What are DMARC Aggregate Reports (RUA)?
As a domain owner, when you have DMARC implemented for your domain what you need is an extensive reporting mechanism that will help you gain complete visibility into your email ecosystem. That is exactly what DMARC RUA Aggregate Reports do. They provide information the sending sources, sending domain, the sender's IP address, the volume of emails sent, percentage of DMARC compliant emails and the DKIM and SPF authenticated results.
Aggregate reports (RUA) can be used to discover IP addresses that could be spoofing your domain to send malicious phishing emails. You can even see if the same source has been abusing your domain more than once, at which point you can take action against it.
How often are DMARC Aggregate Reports generated?
DMARC aggregate reports are generated once a day, on a daily basis, so they don't contain much information about individual emails themselves. Their purpose is to provide an overall view of how emails are being handled in your domain by various users, which emails are passing or failing authentication, and showing you potential problems that might need to be fixed.
While a typical DMARC aggregate report is generated in XML file format that can be quite complex to read for a non-technical person, DMARCDirector simplifies these aggregate reports in simple, readable tabular format for ease of understanding.
What information do DMARC Aggregate Reports contain?
A raw DMARC aggregate report contains the following information:
What are the different views via which DMARCDirector displays aggregate reports?
DAMRCDirector extracts information from your XML files and converts them into simple, readable charts and tables available in 7 different views:
What are the terms displayed in the cascaded table aggregate report views?
If you go to your DMARC aggregate reports and cascade the table, you will have the following information at your disposal:
/msdyn_blobfile/$value)
DMARC Aggregate Report Views
View 1: DMARC Aggregate Reports Per Sending Source
How are the results sorted on this page?
Results on this page are sorted based on the domains email sending sources.
What are the different sections in this page and what do they mean?
/msdyn_blobfile/$value)
In this example, the sending source is Microsoft and the "From" Domain is tangent.com. This means that emails were sent from Microsoft mail servers on behalf of the domain tangent.com. Since those emails are SPF and DKIM aligned, they are DMARC compliant and are therefore presented in the DMARC compatible sources section.
/msdyn_blobfile/$value)
In this example, the sending source is Google and the volume of emails forwarded from this domain is 1. Although the forwarded email was found not to be DMARC compliant due it failing DKIM authentication, SPF authentication, the receiver was able to identify it as a forwarded email and therefore a policy of none was applied.
/msdyn_blobfile/$value)
In this example, the sending source is Google and the volume of emails sent from this domain that has failed DMARC is 521. The DKIM verification for this email has failed and unaligned with SPF verification.
What should I use this page view?
This page is best used when trying to investigate the SPF/DKIM configuration setting of your email sending services/sources. For example, if you are using Gsuite/Google Workspaces to send email on behalf of your domain and you want to inspect the correctness of the SPF/DKIM setting, this would be the best view.
View 2: DMARC aggregate Reports Per Result
How are results sorted on this page?
Results on this page are sorted based on the SPF/DKIM alignment and/or authentication results.
What are the different sections in this page and what do they mean?
/msdyn_blobfile/$value)
This section shows the volume of emails that are DMARC compliant for a specific domain or all registered domains (which have either SPF aligned, DKIM aligned or both aligned). Cascading each row reveals further information such as the sending hostname, IP address, volume, status of DMARC compliance, SPF, and DKIM verification results.
/msdyn_blobfile/$value)
This section shows the amount (%) and volume of emails that have been authenticated by either SPF and DKIM but are not aligned. Cascading each row reveals further information such as the sending hostname, IP address, volume, status of DMARC compliance and SPF and DKIM verification results.
/msdyn_blobfile/$value)
This section shows the amount (%) and volume of emails that have failed SPF and/or DKIM authentication checks. Cascading each row reveals further information such as the sender hostname, IP address, volume, status of DMARC compliance and SPF and DKIM verification results.
When should I use this page?
This page is best used when trying to look at emails that failed or passed SPF/DKIM authentication alignment at a glance without checking for each domain manually.
View 3: DMARC Aggregate Reports Per Organization
How are results sorted on this page?
Results on this page are sorted based on every reporting organization that has received emails from your domain hence generating and sending DMARC reports to us.
What are the different sections in this page and what do they mean?
This page contains a single section, that displays all the reporting organizations for your specified domain or all domains. It contains the following information:/msdyn_blobfile/$value)
Each row can be further cascaded to reveal sender hostnames and IP addresses of email sources, volume, status of DARC compliance and SPF and DKIM verification results.
When should I use this page?
It is recommended that you use this page view when you want to investigate the SPF and DKIM authentication verdicts applied to emails sent for your domains to particular email receivers (reporting organization) such as google.com, microsoft.com, etc.
View 4: DMARC Aggregate Reports Per Host
How are results sorted on this page?
Results on this page are sorted based on every email sending host used by all your sending sources.
What are the different sections in this page and what do they mean?
This page contains a single section that displays all the sender hostnames for the outbound emails sent from your specified domain or all your registered domains. It contains the following information:
Overview of Percentage of emails that are DMARC compliant, for which SPF and DKIM valid and for which SPF and DKIM are invalid:
/msdyn_blobfile/$value)
/msdyn_blobfile/$value)
Each row can be further cascaded to reveal IP addresses of email sources, volume, status of DMARC as shown below:
/msdyn_blobfile/$value)
When should I use this page?
You can use this page when you want to view your DMARC aggregate reports based on every email sending host used by your sending sources, directly, without having to cascade the rows underneath your sending sources to view their sender hostnames.
View 5: Detailed Stats
How are results sorted on this page?
Results on this page are sorted based on detailed stats on every email sending hostname, IP address, reporting organizations and authentication results across a single pane of glass.
What are the different sections in this page and what do they mean?
On this page there is a single continuous section, results for which can be sorted based on the domain and date range, as well as individual sender hostnames, IP address and organizational names can be searched up for more filtered results. Every DMARC aggregate view page has a search box where you can filter and view results for a particular sending source or email sending hostnames.
DMARC aggregate reports on this page contains the following information:
/msdyn_blobfile/$value)
Each row can be cascaded to reveal the From Domain, applied policy mode, status DMARC compliance, and DKIM/SPF alignment information.
When should I use this page?
You can use this page when you want to view your DMARC aggregate reports in detail with the hostnames, IP addresses and organizational names all available on across a single pane of glass. This view is best for details inspection and investigation of your sending sources' IP addresses, hosts and reporting organizations.
View 6: Geo Location Report
How are results sorted on this page?
Results on this page are sorted based on the geographical locations of your email sending sources and their respective IP addresses.
What are the different sections in this page and what do they mean?
The primary section on this page consists of a world map on which you can view specific locations marked with colored pointers depicting the geographical locations of your registered email domains' respective sending sources of IP addresses. There is a shade card provided to segregate the degree of DMARC compliance for outgoing emails sent from specific regions on the globe./msdyn_blobfile/$value)
You can click on the drop-down arrow to download (as a PNG, JPG, SVG, or PDF), annotated or print this data.
The section at the bottom of the page provides a list of countries and their successive volume of DMARC complaint emails that were sent from sending sources originating from these locations on behalf of your registered email domains. It also provides insights on the Top 10 countries for which emails failed DMARC and threats were detected.
/msdyn_blobfile/$value)
When should I use this page?
You can use this page when you want to view your DMARC aggregate reports based on the geo locations of your sender IP addresses and sending sources for your registered domain and inspect which specific location failed DMARC and threats were detected for them so that you can respond to their errors faster.
View 7: DMARC Aggregate Reports Per Country
How are results sorted on this page?
Results on this page are sorted to provided complete visibility of the locations of all your sending sources.
What are the different sections in this page and what do they mean?
This page contains a continuous section that aggregate reports sorted displaying the country of location of the sending source for the registered domain, their corresponding IP addresses and sender hostnames, as well as the DKIM/SPF authentication results.
/msdyn_blobfile/$value)
Each row can be cascaded to reveal the from domain, applied policy mode, status of DMARC compliance, and DKIM/SPF alignment information.
/msdyn_blobfile/$value)
When should I use this page?
You can use this page when you want to view DMARC aggregate reports with enhanced visibility into the country of origin of your sending sources that are sending emails on behalf of your domain, alongside relevant information on the sender hostname, IP address and percentage of emails that are DKIM/SPF compliant.
As a domain owner, when you have DMARC implemented for your domain what you need is an extensive reporting mechanism that will help you gain complete visibility into your email ecosystem. That is exactly what DMARC RUA Aggregate Reports do. They provide information the sending sources, sending domain, the sender's IP address, the volume of emails sent, percentage of DMARC compliant emails and the DKIM and SPF authenticated results.
Aggregate reports (RUA) can be used to discover IP addresses that could be spoofing your domain to send malicious phishing emails. You can even see if the same source has been abusing your domain more than once, at which point you can take action against it.
How often are DMARC Aggregate Reports generated?
DMARC aggregate reports are generated once a day, on a daily basis, so they don't contain much information about individual emails themselves. Their purpose is to provide an overall view of how emails are being handled in your domain by various users, which emails are passing or failing authentication, and showing you potential problems that might need to be fixed.
While a typical DMARC aggregate report is generated in XML file format that can be quite complex to read for a non-technical person, DMARCDirector simplifies these aggregate reports in simple, readable tabular format for ease of understanding.
What information do DMARC Aggregate Reports contain?
A raw DMARC aggregate report contains the following information:
- Information on the Reporting organization (the email receiver that generated and sent this report), such as the Report ID number, the Reporting Organizational Name, the reporting organization's sending address, additional contact information, and the beginning and ending date range.
- Published DMARC DNS record description: the sending domain, SPF and DKIM alignment settings, and domain and subdomain policy mode and the percentage of failing emails to which the policy is to be applied
- The DKIM/SPF authentication results summary
How is this information presented on DMARCDirector aggregate views?
DMARCDirector extracts information from your XML files and converts the into simple, readable charts and tables. This reflects the authentication result overview, percentage and volume of DMARC compliant emails and information on the sending source and sending IP address more efficiently, as shown below.
What do the SPF/DKIM results mean?
The SPF/DKIM authentication results give you a summarized overview of the authentication failures and alignment failures for your configured DMARC authentication protocols (SPF and/or DKIM). The shade card for the authentication results is given below for your understanding:
- SPF aligned (green): the domain in the Return-path header and the Form header are a match.
- SPF not aligned, pass (yellow): "Not aligned, pass" means the SPF authentication passed, but the mailfrom/d= domains do not match the "from" domain.
- SPF Failed (red): During the DMARC check, if "Envelope From" domain does not match with the actual sender's domain (Organization domain), so SPF alignment will fail.
- DKIM aligned (green): DKIM alignment is when your email's parent domain of the DKIM signing domain matches the Header From domain.
- DKIM not aligned, pass (yellow): "Not aligned, pass" means the DKIM authentication pass, but the mailfrom/d= domains do not match the "from" domain.
- DKIM Failed (red): During the DMARC check, DKIM fails when your email's parent domain of the DKIM signing domain does not match the Header From domain.
What are the different views via which DMARCDirector displays aggregate reports?
DAMRCDirector extracts information from your XML files and converts them into simple, readable charts and tables available in 7 different views:
- Per Sending source
- Per result
- Per organization
- Per host
- Detailed stats
- Geo location report
- Per country
What are the terms displayed in the cascaded table aggregate report views?
If you go to your DMARC aggregate reports and cascade the table, you will have the following information at your disposal:
- Sender Hostname: The sending email server's hostname
- Source IP: The IP address of the email sender
- Volume: The volume of emails sent from the specific domain via the indicated sender host
- DMARC Compliance: The percentage of emails that are DMARC compliant (SPF and/or DKIM aligned)
- DKIM Verification: Percentage of emails that has passed/failed DKIM authentication and alignment
- SPF Verification: Percentage of emails that has passed/failed SPF authentication and alignment.
DMARC Aggregate Report Views
View 1: DMARC Aggregate Reports Per Sending Source
How are the results sorted on this page?
Results on this page are sorted based on the domains email sending sources.
What are the different sections in this page and what do they mean?
- DMARC compatible sources: Sources that are sending DMARC compliant emails on behalf of a domain
In this example, the sending source is Microsoft and the "From" Domain is tangent.com. This means that emails were sent from Microsoft mail servers on behalf of the domain tangent.com. Since those emails are SPF and DKIM aligned, they are DMARC compliant and are therefore presented in the DMARC compatible sources section.
- Forwarded: This section contains emails that have been forwarded.
In this example, the sending source is Google and the volume of emails forwarded from this domain is 1. Although the forwarded email was found not to be DMARC compliant due it failing DKIM authentication, SPF authentication, the receiver was able to identify it as a forwarded email and therefore a policy of none was applied.
- Failed: This section contains information on emails that have failed authentication checks.
In this example, the sending source is Google and the volume of emails sent from this domain that has failed DMARC is 521. The DKIM verification for this email has failed and unaligned with SPF verification.
What should I use this page view?
This page is best used when trying to investigate the SPF/DKIM configuration setting of your email sending services/sources. For example, if you are using Gsuite/Google Workspaces to send email on behalf of your domain and you want to inspect the correctness of the SPF/DKIM setting, this would be the best view.
View 2: DMARC aggregate Reports Per Result
How are results sorted on this page?
Results on this page are sorted based on the SPF/DKIM alignment and/or authentication results.
What are the different sections in this page and what do they mean?
- DMARC correct - DKIM or SPF aligned
This section shows the volume of emails that are DMARC compliant for a specific domain or all registered domains (which have either SPF aligned, DKIM aligned or both aligned). Cascading each row reveals further information such as the sending hostname, IP address, volume, status of DMARC compliance, SPF, and DKIM verification results.
- Authenticated - DKIM and SPF valid
This section shows the amount (%) and volume of emails that have been authenticated by either SPF and DKIM but are not aligned. Cascading each row reveals further information such as the sending hostname, IP address, volume, status of DMARC compliance and SPF and DKIM verification results.
- Invalid flows - DKIM and SPF invalid
This section shows the amount (%) and volume of emails that have failed SPF and/or DKIM authentication checks. Cascading each row reveals further information such as the sender hostname, IP address, volume, status of DMARC compliance and SPF and DKIM verification results.
When should I use this page?
This page is best used when trying to look at emails that failed or passed SPF/DKIM authentication alignment at a glance without checking for each domain manually.
View 3: DMARC Aggregate Reports Per Organization
How are results sorted on this page?
Results on this page are sorted based on every reporting organization that has received emails from your domain hence generating and sending DMARC reports to us.
What are the different sections in this page and what do they mean?
This page contains a single section, that displays all the reporting organizations for your specified domain or all domains. It contains the following information:
- Reporting organization's name
- Volume of emails sent
- Percentage of DMARC compliant emails
- DKIM verification results
- SPF verification results
Each row can be further cascaded to reveal sender hostnames and IP addresses of email sources, volume, status of DARC compliance and SPF and DKIM verification results.
When should I use this page?
It is recommended that you use this page view when you want to investigate the SPF and DKIM authentication verdicts applied to emails sent for your domains to particular email receivers (reporting organization) such as google.com, microsoft.com, etc.
View 4: DMARC Aggregate Reports Per Host
How are results sorted on this page?
Results on this page are sorted based on every email sending host used by all your sending sources.
What are the different sections in this page and what do they mean?
This page contains a single section that displays all the sender hostnames for the outbound emails sent from your specified domain or all your registered domains. It contains the following information:
Overview of Percentage of emails that are DMARC compliant, for which SPF and DKIM valid and for which SPF and DKIM are invalid:
- The sender hostnames for the sending sources
- Volume of emails sent by each of these hosts
- Percentage of emails that are DMARC compliant
- DKIM verification result
- SPF verification result
Each row can be further cascaded to reveal IP addresses of email sources, volume, status of DMARC as shown below:
When should I use this page?
You can use this page when you want to view your DMARC aggregate reports based on every email sending host used by your sending sources, directly, without having to cascade the rows underneath your sending sources to view their sender hostnames.
View 5: Detailed Stats
How are results sorted on this page?
Results on this page are sorted based on detailed stats on every email sending hostname, IP address, reporting organizations and authentication results across a single pane of glass.
What are the different sections in this page and what do they mean?
On this page there is a single continuous section, results for which can be sorted based on the domain and date range, as well as individual sender hostnames, IP address and organizational names can be searched up for more filtered results. Every DMARC aggregate view page has a search box where you can filter and view results for a particular sending source or email sending hostnames.
DMARC aggregate reports on this page contains the following information:
- The sender hostnames
- The sender's IP address
- Reporting organizational name
- Volume of emails sent
- Percentage of DMARC compliant emails
- DKIM/SPF verification status
Each row can be cascaded to reveal the From Domain, applied policy mode, status DMARC compliance, and DKIM/SPF alignment information.
When should I use this page?
You can use this page when you want to view your DMARC aggregate reports in detail with the hostnames, IP addresses and organizational names all available on across a single pane of glass. This view is best for details inspection and investigation of your sending sources' IP addresses, hosts and reporting organizations.
View 6: Geo Location Report
How are results sorted on this page?
Results on this page are sorted based on the geographical locations of your email sending sources and their respective IP addresses.
What are the different sections in this page and what do they mean?
The primary section on this page consists of a world map on which you can view specific locations marked with colored pointers depicting the geographical locations of your registered email domains' respective sending sources of IP addresses. There is a shade card provided to segregate the degree of DMARC compliance for outgoing emails sent from specific regions on the globe.
- DMARC compliant emails (Green)
- Emails for which DMARC failed (Blue)
- Domains for which threats are detected (Red)
You can click on the drop-down arrow to download (as a PNG, JPG, SVG, or PDF), annotated or print this data.
The section at the bottom of the page provides a list of countries and their successive volume of DMARC complaint emails that were sent from sending sources originating from these locations on behalf of your registered email domains. It also provides insights on the Top 10 countries for which emails failed DMARC and threats were detected.
When should I use this page?
You can use this page when you want to view your DMARC aggregate reports based on the geo locations of your sender IP addresses and sending sources for your registered domain and inspect which specific location failed DMARC and threats were detected for them so that you can respond to their errors faster.
View 7: DMARC Aggregate Reports Per Country
How are results sorted on this page?
Results on this page are sorted to provided complete visibility of the locations of all your sending sources.
What are the different sections in this page and what do they mean?
This page contains a continuous section that aggregate reports sorted displaying the country of location of the sending source for the registered domain, their corresponding IP addresses and sender hostnames, as well as the DKIM/SPF authentication results.
Each row can be cascaded to reveal the from domain, applied policy mode, status of DMARC compliance, and DKIM/SPF alignment information.
When should I use this page?
You can use this page when you want to view DMARC aggregate reports with enhanced visibility into the country of origin of your sending sources that are sending emails on behalf of your domain, alongside relevant information on the sender hostname, IP address and percentage of emails that are DKIM/SPF compliant.