How do mail receivers know where to send DMARC aggregate and forensic reports to?

A mail receiver looks at the domain found in the From header of an email and looks up the DMARC reporting requests for that domain. It looks at the RUA and RUF tags found and does an authorization check to see if the domains specified (in the mailto:) as report receivers have authorized (agreed) to receive reports for this From domain.

Report authorization is related to when a sending domain specifies a different domain (in its RUA and RUF tags) to which reports should be sent to. The destination domain (report receiver) of the reports has to have a record which essentially says “yes” I can receive reports on behalf of the sending domain. If this authorization record does not exist at the report receiver side, then reports should not be sent to that domain.

Aggregate reports are received every 24 hours and include the origination details of your emails, which include the source IP address your email was generated from along with the result of your SPF and DKIM authentication. The information from aggregate reports is used to identify all your legitimate email sources and authorize them accordingly.

Forensic reports are received every time an email from your domain fails both the authentication mechanisms, SPF & DKIM. It contains the data which indicates that there is an issue with certain source, mailstream or sending IP. These reports are optional and we cannot get the reports for every failure.