DMARC Aggregate Reports Explained: How to Read RUA XML, Find Unauthorized Senders, and Reach Enforcement in 2026

DMARC aggregate reports are the diagnostic data that nobody reads until they have a deliverability fire. Once you understand what they contain, the daily XML files become the most useful operational data your domain produces. DMARC aggregate reports explained: each XML file lists every IP that sent mail claiming to be your domain in the previous 24 hours, whether the message passed SPF and DKIM, whether those results aligned with the From header, and what disposition the receiving mail server applied. This guide covers the XML structure, what each field actually means, how to identify the three categories of senders in your reports, and how to use the data to safely reach DMARC enforcement.

The 2024 Gmail and Yahoo bulk sender requirements made DMARC monitoring non-optional for anyone sending more than 5,000 messages per day. The requirements specify that aggregate reporting must be enabled, which means publishing a rua= address in your DMARC record and consuming the data that arrives.

The Anatomy of an Aggregate Report

Each aggregate report is an XML file emailed daily by Gmail, Outlook, Yahoo, Apple Mail, and the long tail of smaller mailbox providers. The top of the file contains report metadata: the receiving provider name, the report ID, the date range covered, and the policy your domain published at the time the report was generated.

The body contains a series of record blocks, one per source IP. Each record reports the IP address, the message count, the SPF result, the DKIM result, whether each aligned with the From header, and the disposition the receiver applied. Disposition is one of three values: none (delivered normally), quarantine (sent to spam), or reject (refused at the SMTP layer).

The XML structure looks intimidating. The interpretation is simple once you read a dozen reports. Each record is one IP, one day, one SPF result, one DKIM result. Group the records by source IP and you have a picture of every server in the world sending mail as your domain.

The Three Sender Categories

Every IP in your reports falls into one of three categories. The categorization is the first job after parsing.

Authorized and aligned. These are servers you control or have authorized to send: your primary mail server, your transactional ESP (SendGrid, Postmark, Mailgun), your marketing platform (Mailchimp, Klaviyo, Iterable), and any other vendor signing with your DKIM keys. Authorized senders show SPF pass, DKIM pass, and alignment yes. The volume here is whatever it is. The pass rate is what matters.

Misconfigured. These are servers you authorized that are not aligning correctly. The most common case is an ESP signing with the wrong DKIM selector, a mail server with SPF includes that exceed the 10-lookup limit, or a forwarding service that breaks SPF without DKIM compensation. The mail volume is real, the sender is legitimate, the configuration is wrong. Misconfigured senders are the most common cause of legitimate mail failing DMARC after a move to p=quarantine.

Unauthorized. These are servers sending mail as your domain that you do not control. Phishers spoofing your brand, compromised hosts running scripts, or third parties forging your domain in marketing campaigns. Unauthorized senders should fail both SPF and DKIM and show alignment no. With p=quarantine or p=reject, these messages get suppressed. With p=none, they reach inboxes and damage your sender reputation.

How to Move From p=none to p=quarantine

DMARC enforcement happens in three policy stages: monitoring (p=none), partial enforcement (p=quarantine), and full enforcement (p=reject). The journey from monitoring to enforcement is what most senders never complete. Aggregate reports are the only way to make the journey without breaking legitimate mail flow.

The rough sequence is: publish DMARC at p=none with a rua= address, collect 30 days of reports, identify and fix every misconfigured sender, document every authorized sender, then move to p=quarantine with pct=10 to start. Watch reports for two weeks. If legitimate mail is still passing at 99 percent or higher, raise to pct=50, then pct=100. After another two weeks at p=quarantine pct=100, move to p=reject.

The timeline is roughly 60 to 90 days for a typical domain. The work is in interpreting the reports correctly during each transition. Skipping the report review and going straight to p=quarantine is the most common cause of legitimate mail breakage during DMARC enforcement.

---

Reading Reports Without a Paid Tool

Aggregate reports arrive as compressed XML attached to email. Open the file and you have a parseable XML document. Common open-source tools handle the parsing: parsedmarc is the Python reference implementation and produces output that can be loaded into Elasticsearch or Grafana for dashboarding.

For one-off analysis, free dashboards exist that accept individual XML files and parse them into readable tables. For ongoing monitoring, the parseable XML is straightforward enough that a 50-line script in any language can produce a daily summary report. The decision is how much engineering time you want to spend versus how much value the structured data adds.

Most senders do not need a paid platform. The XML is the data, the daily volume is manageable, and the categorization is simple enough to script. Where paid platforms add value is correlation across months and AI-assisted explanation of anomalies, both of which become valuable at the scale where misconfiguration is constant.

What Aggregate Reports Cannot Tell You

Aggregate reports cover SPF, DKIM, and alignment. They do not cover message content, recipient engagement, or the deeper reputation signals that determine inbox placement after DMARC has been satisfied. A domain with 100 percent DMARC pass rate and high complaint volume still has a deliverability problem, just not a DMARC one.

The complement to DMARC monitoring is list quality monitoring. Most reputation problems trace back to hard bounces and spam trap hits, not authentication failures. The email verification API validates addresses before send and reduces the bounce volume that aggregate reports cannot help with. Pair DMARC enforcement with the email verification API documentation bulk flow for the cleanest possible sending posture.

For real-time validation at the signup form, the free email verification tool handles spot checks during reputation investigations, and the bulk endpoint processes large lists at email verification pricing of $0.001 per address for quarterly hygiene runs.

Frequently Asked Questions

How often are DMARC aggregate reports sent?

Daily, in 24-hour windows. Major providers (Gmail, Outlook, Yahoo, Apple) send reliably. Smaller providers send irregularly or not at all. A high-volume domain typically receives 20 to 80 reports per day across all reporting receivers.

What is a good DMARC pass rate?

99 percent or higher across aggregate reports. Anything below 99 percent indicates legitimate mail failing alignment, which gets quarantined or rejected once you move past p=none. Pass rates below 95 percent require investigation before any policy change.

Can I read DMARC reports without a paid tool?

Yes. The XML is parseable with open-source tools like parsedmarc or a short script in any language. Paid platforms add convenience and dashboards but the raw data is the same.

Does DMARC enforcement improve deliverability directly?

Yes, but indirectly. DMARC enforcement reduces spoofing of your domain, which protects your reputation from third-party damage. Mailbox providers also treat domains with p=quarantine or p=reject more favorably than p=none. The deliverability improvement is compound rather than immediate.