Introduction

A DMARC record can look valid while the reporting mailbox stays completely empty. That usually means the policy is published but the aggregate report destination is misconfigured, unauthorized, or unable to receive the report traffic. Without those rua reports, teams lose visibility into who is sending on behalf of the domain and whether alignment is actually working. The fix is to validate both the DMARC record and the mailbox path that report senders must trust.

Symptoms

  • The DMARC record is live, but no aggregate reports arrive
  • Reporting used to work and then stopped after a DNS or mail change
  • The rua mailbox is on a different domain than the one being monitored
  • Mailboxes receive normal mail but no XML aggregate reports
  • The team cannot confirm whether DMARC enforcement is helping or hurting delivery

Common Causes

  • The rua tag syntax is malformed or points to the wrong mailbox
  • External report destinations are missing required authorization records
  • The destination mailbox rejects large attachments or automated report traffic
  • DNS changes were published on one provider but not the authoritative zone
  • The domain owner expected instant reports even though senders report on their own schedule

Step-by-Step Fix

  1. Review the live DMARC TXT record exactly as published and verify the rua tag uses the intended mailbox syntax.
  2. If reports are sent to a different domain, confirm the external destination authorization record exists and matches the reporting mailbox path.
  3. Check that the destination mailbox is active, monitored, and able to receive large compressed XML report attachments.
  4. Verify there is no mail filtering, forwarding rule, or security policy silently discarding automated DMARC reports.
  5. Confirm the DNS changes were applied at the authoritative provider rather than only in a stale dashboard or local notes.
  6. Wait for a reasonable reporting window, because aggregate reports are not sent instantly and vary by sender.
  7. Compare the domain’s recent mail volume and sender mix so you know whether enough traffic exists to trigger reports.
  8. Test mailbox ownership, aliases, and MX routing if the rua address was recently changed or migrated.
  9. Keep DMARC reporting configuration documented so future DNS or mailbox migrations do not break your visibility again.