I have a client that's receiving DMARC reports from various providers however the reports indicate that all checks 'PASS' and all DMARC/DKIM/SPF checking tools indicate the DMARC records are fine. The reports are in XML format and zipped up. Is there any easy way to tell the difference between rua and ruf reports? Are ruf reports delivered in a zip file like rua reports? My client believes that since he is receiving reports not at the exact same time everyday that they can't be rua reports however I'm not so sure.
Any help would be appreciated 🙂
Best Answer
Providers send aggregate reports at varying times. Many come at midnight UTC, but some providers like Microsoft often send hourly reports. Forensic reports come in neartime, usually about 5-10 minutes after the failing message hit the ISP's front end inbound mailers.
You can tell RUA from RUF reports apart pretty easily. An aggregate, or RUA report typically starts like:
while a forensic or RUF report generall starts like:
You will also notice that an RUA report has (often gzipped) XML as an attachment, while the attachment for a RUF report is actual MIME. Few people try to manually read or verify either type of report. Services like Agari and Dmarcian are specifically built to interpret DMARC reporting.