DMARC (Domain-based Message Authentication, Reporting, and Conformance) implementation is highly dependent on its reporting mechanism. By analyzing DMARC reports, you can deploy this framework to its full maturity on your domains.
There are 2 different types of DMARC reports, aggregate report, and the forensic report. These reports are sent by email receivers to email senders for them to analyze various aspects of their outbound emails.
Aggregate reports are received every 24 hours and include the origination details of your emails, which include the source IP address your email was generated from along with the result of your SPF and DKIM authentication. These 2 mechanisms are used by email senders to authorize their email sources. The information from aggregate reports is used to identify all your legitimate email sources and authorize them accordingly.
Forensic reports are received every time an email from your domain fails both the authentication mechanisms, SPF & DKIM. This is used for in depth analysis on emails spoofing your domain, since these reports contain details of the spoofed email, e.g. from an email address to an email address, the subject, and in some cases, the header of the email. It is recommended to enable these reports after analysis of aggregate reports and authorizing all your legitimate sources to reduce noise, and only receive forensic reports of spoofed emails.
In summary, aggregate reports help you identify and authorize your legitimate emails while forensic reports aid in analyzing spoofed emails and identifying attack attributes to take down. Through these reports, the DMARC framework plays a significant role in eliminating various email impersonation fraud!