Reference

Understanding aggregate (RUA) reports

What DMARC aggregate reports contain, where they come from, and how Blankitt turns them into the insights you see across the app.

2 min readLast updated 14 June 2026
Jump to section

Aggregate reports — referred to in a DMARC record as RUA (Reporting URI for Aggregate data) — are the backbone of DMARC monitoring. Almost everything you see in Blankitt DMARC is built from them.

What an aggregate report is

An aggregate report is an XML file sent by a mailbox provider (Google, Microsoft, Yahoo and many others) summarising the mail they received that claimed to be from your domain. Reports are usually generated once a day and are compressed (.gz or .zip).

Crucially, aggregate reports contain no message content and no recipient addresses. They are statistical summaries — counts of messages grouped by sending IP and authentication result. They are safe to collect at scale and are how you map who is sending mail "as" your domain.

What's inside

Each report lists, per sending source:

  • The source IP address that sent the mail.
  • The message count from that source.
  • The From: (header) domain the mail claimed to be from.
  • The disposition the receiver applied (none / quarantine / reject), based on your published policy.
  • SPF result and DKIM result, and — most importantly — whether each was aligned with the From: domain.

Alignment is the key field. A message can pass raw SPF or DKIM yet still fail DMARC if neither result is aligned with the From: domain. That mismatch is the single most common cause of unexpected failures, and aggregate reports are how you find it.

How reports reach Blankitt

There are three ways to get aggregate reports into your account:

  1. Direct ingest (recommended). Every tenant gets a unique inbound address of the form <token>@rua.blankitt.com, shown in Settings. Publish it as the rua= target in your domain's _dmarc TXT record and providers will send reports straight to us:
_dmarc.example.com. TXT "v=DMARC1; p=none; rua=mailto:<token>@rua.blankitt.com"

  1. Mailbox sync. If reports already arrive in a Microsoft 365 or Google Workspace mailbox, connect it under Settings → Mailbox sync and we import them on your chosen schedule (from every hour up to once a day).

  2. Manual upload. Drop .xml, .gz, or .zip report files onto the Reports page at any time.

How Blankitt uses them

Once ingested, Blankitt parses every report and turns the raw XML into the views you actually use:

  • Dashboard — pass/fail totals and trends.
  • Offenders — sending sources failing DMARC, with vendor attribution.
  • Domain detail — compliance grade, scorecard, source-IP breakdown with alignment percentages, and the Policy Progression Wizard.

You rarely need to read the raw XML yourself — but knowing what it contains explains why alignment, not just "pass/fail", drives every recommendation in the product.

Aggregate vs. forensic

Aggregate (RUA) reports are summaries and are what you should rely on day to day. Forensic (RUF) reports are per-message failure samples and are far less commonly sent by providers — see the separate article on forensic reports for the detail and the privacy caveats.

Still stuck? Email support or open the support widget in the bottom-right.