DMARC Forensic Reports (RUF): What They Are and Why Most Providers Don't Send Them

Understand DMARC forensic reports (RUF), how they differ from aggregate reports (RUA), why most providers don't send them, and what alternatives exist.

Email Authentication

DMARC supports two types of reports: aggregate reports (RUA) that summarize authentication results, and forensic reports (RUF) that provide details about individual failed messages. In theory, forensic reports help you investigate specific authentication failures. In practice, most mailbox providers don't send them.

Here's what forensic reports are, why they're rare, and what to use instead.

RUA vs RUF Reports

Aggregate (RUA)Forensic (RUF)
ContentSummary statistics — IP, volume, pass/fail countsIndividual message details — headers, sometimes partial body
FrequencyDaily (typically)Per-failure (immediately or batched)
Privacy concernLow — no personal dataHigh — contains message details and recipient info
Provider supportWidely supported (Gmail, Yahoo, Microsoft)Very limited (most providers don't send)
DMARC tagrua=mailto:...ruf=mailto:...
FormatXML (gzipped)ARF (Abuse Reporting Format) or IODEF

What Forensic Reports Contain

When a provider sends a forensic report, it includes details about a specific message that failed DMARC:

  • Message headers — From, To, Subject, Date, Received chain
  • Authentication results — SPF, DKIM, and DMARC pass/fail details
  • Source IP — The IP address that sent the failing message
  • Partial or full message body — Depending on the provider's policy
  • Failure reason — Why DMARC failed (alignment, SPF fail, DKIM fail)

This level of detail helps you:

  • Identify exactly which messages are failing
  • See the specific headers and source of spoofing attempts
  • Understand alignment failures at the individual message level
  • Debug complex authentication configurations

Why Most Providers Don't Send Them

Privacy Concerns

Forensic reports contain personal information — recipient email addresses, message subjects, sometimes message content. This creates privacy and compliance issues:

  • GDPR — Sharing message details with domain owners may violate data protection regulations
  • User privacy — Recipients haven't consented to their email details being shared
  • Legal liability — Providers are cautious about exposing message content

Volume

For high-volume senders, forensic reports for every failed message would create enormous amounts of data. A sender with millions of emails and even a small failure rate would generate thousands of reports per day.

Provider Policies

ProviderSends RUF?Notes
GmailNoGoogle does not send forensic reports
YahooNoYahoo does not send forensic reports
MicrosoftLimitedMay send redacted forensic reports in some cases
OthersVariesSome smaller providers send them, most don't

Should You Configure RUF?

Adding the Tag

You can add the ruf tag to your DMARC record:

v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]

There's no harm in adding it. Some providers may send reports, and having the address ready means you'll receive them if they do.

The fo Tag

The fo (failure options) tag controls when forensic reports are generated:

ValueReports Generated When
fo=0Both SPF and DKIM fail to align (default)
fo=1Either SPF or DKIM fails to align
fo=dDKIM signature fails (regardless of alignment)
fo=sSPF evaluation fails (regardless of alignment)

fo=1 generates the most reports and is the most useful for debugging.

Monitor your DMARC status

Track your DMARC configuration, authentication pass rates, and domain reputation. Get alerts when issues arise.

Alternatives to Forensic Reports

Since RUF reports are unreliable, use these alternatives to investigate authentication failures:

DMARC Aggregate Reports (RUA)

Aggregate reports are widely supported and provide enough data for most troubleshooting:

  • Which IPs are sending as your domain
  • Whether SPF and DKIM pass for each source
  • Volume of messages from each source
  • Disposition (delivered, quarantined, rejected)

Use a DMARC reporting service to visualize aggregate data and identify patterns.

Email Header Analysis

For specific failure investigations:

  1. Send test emails from each sending service
  2. Check the headers for SPF, DKIM, and DMARC results
  3. Use our free checker to verify authentication configuration
  4. Have recipients forward problematic emails with full headers for analysis

Google Postmaster Tools

For Gmail-specific data:

  • Domain reputation
  • SPF and DKIM pass rates
  • Complaint rates
  • Delivery errors

ESP Analytics

Your email service provider's analytics show:

  • Per-campaign delivery rates
  • Bounce details with error codes
  • Authentication pass rates from their perspective

DMARC Reporting Services

Third-party DMARC reporting services aggregate RUA data into dashboards that show:

  • All sources sending as your domain
  • Authentication pass/fail rates per source
  • Trends over time
  • Alerts when new unauthorized sources appear

These services essentially give you the investigative power of forensic reports by intelligently processing aggregate data.

The Future of Forensic Reports

The IETF has been working on improving DMARC reporting to address the limitations of RUF reports. Future specifications may introduce:

  • Privacy-preserving failure reports that don't expose recipient data
  • Standardized redaction practices
  • Better support for real-time alerting

Until these standards are finalized and adopted, aggregate reports plus manual investigation remain the practical approach for most organizations.