Once you publish a DMARC record with a rua address, receiving providers send you daily aggregate reports. These reports are how you discover who is sending email as your domain - both your legitimate services and any spoofers - before you tighten your policy to reject. Here is how to use them.
Aggregate reports are XML files sent once a day by each major receiver. Each report lists the sending IP addresses that used your domain, how many messages each sent, and whether they passed SPF and DKIM with alignment. They do not contain message content - only authentication outcomes.
The XML is not meant for human reading. Feed the reports into a DMARC monitoring tool or dashboard that parses them and shows sources, volumes, and pass/fail rates in a readable table. This turns a pile of files into a clear picture of your mail flow.
Go through the sources the reports reveal. You will typically find a few legitimate ones - your mail server, a marketing platform, a helpdesk - and possibly unknown IPs sending as you. For each legitimate source that is failing, fix its authentication so it passes SPF or DKIM with alignment. Unknown sources that fail are usually spoofing attempts, which is exactly what DMARC will block once enforced.
Start at p=none (monitor only). Once the reports show all your legitimate mail passing, move to p=quarantine so failing mail goes to spam, and finally p=reject so spoofed mail is refused outright. Moving in stages ensures you never block your own legitimate email.
Even at reject, keep receiving reports. New services you add later need to be authorized, and the reports show you immediately if a legitimate source starts failing.
Our team sets up DMARC monitoring for domains on SoftSys managed VPS plans and guides the move from monitor to enforcement safely, so you stop spoofing without ever losing a legitimate message.