DMARC Report Compliance with RFC 9990

Freddie Leeman -

With the publication of RFC 9990, DMARC aggregate reporting now has its own dedicated Standards Track RFC. At URIports, we validate incoming DMARC aggregate reports against this new RFC to identify missing required elements, invalid values, malformed data, and other compliance issues.

DMARC aggregate reports help domain owners understand who is sending mail on behalf of their domains, whether SPF and DKIM pass and align, and how their published DMARC policy affects real-world mail flow. Complete and accurate reports are essential for detecting misconfigurations, spotting unauthorized sending, and improving email authentication.

Because URIports processes millions of reports every day, we see a wide range of implementations. Some organizations send well-formed and complete reports. Others still send reports with missing fields, empty values, or incorrect data that make analysis less reliable.

The release of RFC 9990 is a good opportunity for report senders to review their implementations and improve interoperability.

Below is a real-time list of organizations from which we have received the most non-compliant DMARC aggregate reports over the past three days.

There should be a table here. Go to the full article if the table isn't visible.

A 0% compliance rate means every report we received from that organization during this period contained at least one validation error.

There should be a table here. Go to the full article if the table isn't visible.

Why compliance matters

DMARC reports are only useful when the data is complete and consistent. Missing identifiers, incomplete authentication results, invalid policy values, or malformed XML can force receivers to make assumptions, reducing the value of the report for domain owners.

RFC 9990 provides the current standard for DMARC aggregate reporting. URIports uses it as the basis for validating reports and highlighting where implementations deviate from the specification.

Our goal is not to shame individual engineering teams, but to improve the quality and interoperability of DMARC reporting. Many implementations have been running for years, and the publication of RFC 9990 is the right moment to bring them up to date.

Conclusion

As more domains adopt SPF, DKIM, and DMARC, the quality of aggregate reports becomes increasingly important. Standards-compliant reports help domain owners protect their domains, understand their mail flows, and make better policy decisions.

URIports will continue to validate DMARC aggregate reports against RFC 9990 and provide visibility into which report senders produce the most complete and compliant reports.