How can you tell the difference between rua and ruf DMARC reports?
Providers send aggregate reports at varying times. Many come at midnight UTC, but some providers like Microsoft often send hourly reports. Forensic reports come in neartime, usually about 5-10 minutes after the failing message hit the ISP's front end inbound mailers.
You can tell RUA from RUF reports apart pretty easily. An aggregate, or RUA report typically starts like:
--report_section
Content-Type: text/plain;
This is a DMARC aggregate report for yourdomain.com
generated at Mon Mar 23 03:53:50 UTC 2015
while a forensic or RUF report generall starts like:
--61204608-60BE-4D26-9E07-F450C5B0D826
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
This is an email abuse report for an email message received from IP 10.10.10.10 on Mon Mar 23 04:01:02 UTC 2015.
The message below did not meet the sending domain's authentication policy.
For more information about this format please see http://www.ietf.org/rfc/rfc5965.txt.
--61204608-60BE-4D26-9E07-F450C5B0D826
Content-Type: message/feedback-report
You will also notice that an RUA report has (often gzipped) XML as an attachment, while the attachment for a RUF report is actual MIME. Few people try to manually read or verify either type of report. Services like Agari and Dmarcian are specifically built to interpret DMARC reporting.
To provide more information on @cmeid great answer, if possible one can also provide different email address to the two report types on the DMARC DNS record (TXT) :
_dmarc.example.com TXT "v=DMARC1; p=none; pct=100; rua=mailto:[email protected]; ruf=mailto:[email protected]
This can help greatly in filtering those two from each others.