Defaults.Exposed

Defaults.Exposed › Reports

Publishing Blind: Most DMARC Records Ask for No Reports

Published 2026-07-03 · updated 2026-07-03

Figures as of 2026-06-29 · methodology v7. Census data across every domain publishing a parseable DMARC record, deduped per domain. rua= presence is measured across all records, so its exact overlap with any single policy is not derivable — where this article makes claims about that overlap, it states bounds, never exact cross-tabs. All figures are aggregate — we never publish an individual business’s grade.

Most DMARC records are not watching

Of the 65 million domains that publish a DMARC record, only 23 million — 35.7% — include the rua= tag that requests aggregate reports. The other 64.3% are publishing blind: a policy is on the record, but nobody asked to be told what’s happening under it. That is 42 million domains with a DMARC record that cannot show them anything.

A DMARC record without reporting is a doorbell with no one home. Mail receivers dutifully check every message against it — and their findings, the list of everyone sending as your domain, go nowhere. The mechanism works; the owner just isn’t listening.

What rua= actually does

DMARC has two halves. The policy half (p=none, quarantine or reject) tells receivers what to do with mail that fails authentication. The reporting half — the rua= tag, a mailbox address — asks receivers to send you daily aggregate reports: which servers sent as your domain, how much mail, and whether it passed SPF and DKIM.

That second half is the entire feedback loop. Reports are how you discover the newsletter platform nobody documented, the invoicing tool marketing connected, the shadow sender in another region — before you enforce and break them. Without rua=, none of that intelligence ever reaches you. Adding it costs one DNS edit: append rua=mailto:[email protected] (or a monitoring service’s address) to the existing record.

The gap between Stages 2 and 3: published and blind

In the six stages of DMARC maturity, Stage 3 — Observing — begins when DMARC is published and aggregate reports are flowing. A record with no rua= doesn’t qualify. It sits in the gap between Stages 2 and 3 — published and blind — a place the model deliberately leaves without a number of its own.

This matters because every stage after it depends on the reports. You cannot identify your senders (Stage 4) from reports you never receive; you cannot enforce safely (Stage 5) without knowing your senders. A blind record isn’t an early step on the journey — it’s a layby just off it. And the census suggests most record-holders are parked there or nearby: 57.5% of all DMARC records never reach enforcement.

Worse than useless, because it feels like progress

A missing DMARC record at least looks like what it is: a gap. A blind one looks like a tick. Someone ran a compliance checklist, or a deliverability guide, or a one-line fix from a vendor — published v=DMARC1; p=none — and the scanner went green. The organisation now feels further along than the organisation with no record at all, while being functionally in the same place: no visibility, no enforcement, no path to either.

The consequence is quiet and cumulative. Blind records don’t fail loudly; they just never generate the evidence that would justify the next move. Years later the record still says p=none, nobody can say which senders are legitimate, and enforcing feels riskier than ever — precisely because no reports were ever collected.

What the census can and can’t say

Because rua= presence is measured across all 65 million records — not cross-tabbed per policy — the exact number of p=none records that are also blind isn’t derivable from these marginals. The bounds are still stark. 37 million records (57.4% of record-holders) sit at p=none; only 23 million records in the entire census request reports. So at most 23 million of those p=none records can be receiving reports — and at least 14 million of them definitely are not, even if every reporting address in the census belonged to a p=none domain. However the overlap actually falls, millions of domains are sitting at “monitoring mode” with the monitor unplugged.

The one-edit fix

If your DMARC record has no rua= tag, the fix is a single DNS change and it is safe at any policy level:

  1. Choose a reporting destination — a mailbox you’ll actually process, or a free/paid DMARC monitoring service that turns the XML into something readable.
  2. Append it to the record: v=DMARC1; p=none; rua=mailto:[email protected]. If the destination is a different domain, that domain must authorise receiving your reports (a small extra DNS record on its side).
  3. Wait a few days, then read. Reports arrive daily from major receivers. What they show — every source sending as your domain — is the map for the rest of the journey.

Then the record stops being furniture and starts being an instrument. (Fix DMARC →.)

Frequently asked questions

What is a DMARC rua report? An aggregate XML report that participating mail receivers send (typically daily) to the address in your record’s rua= tag, summarising which sources sent mail as your domain and whether it passed SPF and DKIM alignment. It contains no message content — sender infrastructure and pass/fail counts only.

Is DMARC without rua worthless? Not worthless — an enforcing policy still blocks spoofing without it. But at p=none, a record without rua= blocks nothing and shows you nothing — its only remaining job is ticking the mailbox providers’ minimum-requirement box. And even enforcing domains without reporting lose the drift-detection that keeps enforcement safe as new senders appear. p=none is not protection either way — without reports it isn’t even preparation.

Can rua= point to any mailbox? Yes, including one on a different domain — most monitoring services work exactly that way. The receiving domain publishes a small verification record authorising your reports. What matters is that something actually processes the XML; a mailbox nobody reads is blindness with extra steps.

Do aggregate reports expose private data? No. rua aggregate reports carry sending-source and authentication statistics, not message bodies or recipient lists. (The separate ruf= failure reports can contain message fragments, which is why many receivers no longer send them — rua is the one that matters.)

Check whether your record is watching

A DMARC record that asks for no reports is one of the easiest findings to fix on the entire journey — one DNS edit turns blind into Observing. You can check privately and free, and see which of the 34 checks you pass and how to fix the ones you don’t.

Check your domain → · The 6 stages of DMARC maturity → · The DMARC pillar → · Aggregate data only. Data stored and processed in the EU.