DMARC Reporting (rua)

DMARC aggregate reports (rua=) are XML summaries that participating receivers (Gmail, Microsoft, Yahoo, etc.) send to a mailbox you designate, listing every IP that sent mail "from" your domain along with whether SPF and DKIM passed. Without rua=, your DMARC policy runs blind: you cannot see who is spoofing you, whether your legitimate senders pass alignment, or whether your policy is breaking real mail. RedScore passes only when rua= is present on the DMARC record.

This check only runs when your domain has a non-null MX. If you have only a null MX or no MX, it shows as not applicable rather than failing.

How the verdict maps to evidence

• Pass: a v=DMARC1 record exists with at least one rua=mailto:... destination.
• Warn: a DMARC record exists but rua= is not set.
• Fail: no DMARC record at _dmarc.yourdomain.tld.

Fail: no DMARC record

If you have no DMARC at all, fix that first. The DMARC Policy Enforcement guide walks through publishing a record. The reporting check passes naturally once your DMARC record includes rua=.

Warn: DMARC exists but no rua=

Add a rua= tag pointing at a mailbox you control. The mailbox can be on the same domain or a different one (subject to authorization, see below).

Choosing a reporting destination

Three reasonable options:

• Self-hosted parser. Point rua= at a mailbox like dmarc@yourdomain.tld and run a parser that ingests the XML attachments. Open-source options exist (parsedmarc, dmarc-srg). Best for teams with engineering capacity to maintain a parser.
• Managed service. Use a hosted DMARC reporting platform (dmarcian, Postmark DMARC Digests, EasyDMARC, Valimail, Red Sift OnDMARC). They give you a forwarding address like xxxx@<service>.com to put in rua= and provide a dashboard. Most have a free tier suitable for a single domain.
• Both. Point rua= at multiple destinations: a managed dashboard for daily review plus a self-hosted archive for long-term retention. Comma-separate the addresses.

_dmarc.yourdomain.tld.   IN  TXT  "v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@yourdomain.tld; adkim=s; aspf=s"

_dmarc.yourdomain.tld.   IN  TXT  "v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@yourdomain.tld,mailto:abc123@dmarc.postmarkapp.com; adkim=s; aspf=s"

Cross-domain reporting authorization

If your rua= address is on a different domain (typical with managed services), the destination domain must publish a DMARC reporting authorization record so receivers know to send reports there. Most managed services pre-authorize their domain for all customers, so you do not need to do this. If you self-host the destination on a different domain, publish:

yourdomain.tld._report._dmarc.destdomain.tld.   IN  TXT  "v=DMARC1"

Without this record, receivers will refuse to send reports cross-domain (RFC 7489 section 7.1).

Verify the fix

• Run dig +short TXT _dmarc.yourdomain.tld @1.1.1.1 and confirm rua=mailto:... appears in the record.
• Wait 24 to 48 hours for the first wave of reports. Major receivers (Gmail, Microsoft, Yahoo) send daily.
• Open the destination mailbox or dashboard and confirm reports are arriving with non-zero traffic counts. If your domain has mail traffic but no reports show up, check for typos in the mailto address or for bounces from your inbound mail provider.
• Re-run the RedScore lookup.

Common pitfalls

• Reporting address on a non-DMARC-compliant domain. Some receivers refuse to send rua reports to mailboxes on domains that themselves fail DMARC. Use a domain that passes DMARC for the reporting mailbox.
• rua= but no parsing pipeline. Raw XML reports are unreadable by humans and pile up fast. Pick a service or set up a parser before you need to look at the data.
• Forgetting cross-domain authorization. If you self-host on a separate domain, the destination domain needs a _report._dmarc TXT record (see above). Managed services usually handle this for you.
• Setting ruf= as well. Forensic reports are largely deprecated by major receivers for privacy reasons. Skip ruf= unless your reporting platform asks for it.
• Mailbox capacity. A high-traffic domain can receive thousands of reports per day. Make sure your reporting mailbox has the storage and an automated archive policy.
• Typos in the rua address. A typo means you are publishing a DMARC policy with no actual reporting destination, which fails this check the same as no rua= at all.