I have an rua specified in my DMARC, and I get reports back showing that I am 100% compliant. But I get LOADS of such “Report Domain” xml reports, from MANY different servers every day or two. Stop already! I hesitate to remove my rua, in that I want to be informed if there are problems. But can I just switch to ruf? Will that then inform me ONLY if I have problems?
No. RUF is not advised a most reporters don’t send them, since they have potential privacy risks.
You say that you
You are supposed to! That is the whole point of DMARC. All reporters should send you aggregate reports that account for every email that had your domain the RFC5322.MAILFROM.
Are you sending your DMARC reports to your personal inbox? That is an unmanageable plan that will either drive you mad or murder your inbox, if not both. They are meant to go to an email address that functions as an ingress to a reporting platform like dmarcian. Please don’t use personal mailboxes for RUA (or RUF). It is guaranteed to be a miserable experience (as it sounds like you may have discovered).
Well, I guess my point was that if everything is fine, why do I have to get notified that everything is fine by every server several times a week? Why can’t I just get notified if there is a problem? But that’s a fair point that I should have an alternate e-mail to use for the reports. That way, I never have to look at them.
Hello Dlass and welcome to the forums.
I understand your reaction. Getting a bunch of “everything’s fine” emails can definitely feel like noise. But the thing with DMARC reporting is that it’s designed to give all the data, not just the problems. That’s because what’s considered “a problem” isn’t always obvious to the receivers (the ones sending the reports). They don’t know your internal policies or which sources you’ve approved, so instead of trying to guess what’s expected, they just report everything. That is how the DMARC standard was designed.
Some things might look wrong from their side, like an email failing DMARC, but maybe you know it’s coming from a legacy system that isn’t DMARC-capable yet and you’re okay with it. Or the reverse: something might pass DMARC, but you know it’s not an authorized sender.
So the full reports are more like a data feed than a security alert system. It’s then up to whatever tool or process you’re using to collect and analyze those reports to flag what actually matters to you. Whether that’s showing only failures, highlighting unknown sources, or filtering out routine stuff, you can customize that on your end with the right features.
2 Likes
