DMARC Forensic Reports (RUF): What They Are and Why Most Providers Don't Send Them
Understand DMARC forensic reports (RUF), how they differ from aggregate reports (RUA), why most providers don't send them, and what alternatives exist.
DMARC supports two types of reports: aggregate reports (RUA) that summarize authentication results, and forensic reports (RUF) that provide details about individual failed messages. In theory, forensic reports help you investigate specific authentication failures. In practice, most mailbox providers don't send them.
Here's what forensic reports are, why they're rare, and what to use instead.
RUA vs RUF Reports
| Aggregate (RUA) | Forensic (RUF) | |
|---|---|---|
| Content | Summary statistics — IP, volume, pass/fail counts | Individual message details — headers, sometimes partial body |
| Frequency | Daily (typically) | Per-failure (immediately or batched) |
| Privacy concern | Low — no personal data | High — contains message details and recipient info |
| Provider support | Widely supported (Gmail, Yahoo, Microsoft) | Very limited (most providers don't send) |
| DMARC tag | rua=mailto:... | ruf=mailto:... |
| Format | XML (gzipped) | ARF (Abuse Reporting Format) or IODEF |
What Forensic Reports Contain
When a provider sends a forensic report, it includes details about a specific message that failed DMARC:
- Message headers — From, To, Subject, Date, Received chain
- Authentication results — SPF, DKIM, and DMARC pass/fail details
- Source IP — The IP address that sent the failing message
- Partial or full message body — Depending on the provider's policy
- Failure reason — Why DMARC failed (alignment, SPF fail, DKIM fail)
This level of detail helps you:
- Identify exactly which messages are failing
- See the specific headers and source of spoofing attempts
- Understand alignment failures at the individual message level
- Debug complex authentication configurations
Why Most Providers Don't Send Them
Privacy Concerns
Forensic reports contain personal information — recipient email addresses, message subjects, sometimes message content. This creates privacy and compliance issues:
- GDPR — Sharing message details with domain owners may violate data protection regulations
- User privacy — Recipients haven't consented to their email details being shared
- Legal liability — Providers are cautious about exposing message content
Volume
For high-volume senders, forensic reports for every failed message would create enormous amounts of data. A sender with millions of emails and even a small failure rate would generate thousands of reports per day.
Provider Policies
| Provider | Sends RUF? | Notes |
|---|---|---|
| Gmail | No | Google does not send forensic reports |
| Yahoo | No | Yahoo does not send forensic reports |
| Microsoft | Limited | May send redacted forensic reports in some cases |
| Others | Varies | Some smaller providers send them, most don't |
Should You Configure RUF?
Adding the Tag
You can add the ruf tag to your DMARC record:
v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]
There's no harm in adding it. Some providers may send reports, and having the address ready means you'll receive them if they do.
The fo Tag
The fo (failure options) tag controls when forensic reports are generated:
| Value | Reports Generated When |
|---|---|
| fo=0 | Both SPF and DKIM fail to align (default) |
| fo=1 | Either SPF or DKIM fails to align |
| fo=d | DKIM signature fails (regardless of alignment) |
| fo=s | SPF evaluation fails (regardless of alignment) |
fo=1 generates the most reports and is the most useful for debugging.
Monitor your DMARC status
Track your DMARC configuration, authentication pass rates, and domain reputation. Get alerts when issues arise.
Alternatives to Forensic Reports
Since RUF reports are unreliable, use these alternatives to investigate authentication failures:
DMARC Aggregate Reports (RUA)
Aggregate reports are widely supported and provide enough data for most troubleshooting:
- Which IPs are sending as your domain
- Whether SPF and DKIM pass for each source
- Volume of messages from each source
- Disposition (delivered, quarantined, rejected)
Use a DMARC reporting service to visualize aggregate data and identify patterns.
Email Header Analysis
For specific failure investigations:
- Send test emails from each sending service
- Check the headers for SPF, DKIM, and DMARC results
- Use our free checker to verify authentication configuration
- Have recipients forward problematic emails with full headers for analysis
Google Postmaster Tools
For Gmail-specific data:
- Domain reputation
- SPF and DKIM pass rates
- Complaint rates
- Delivery errors
ESP Analytics
Your email service provider's analytics show:
- Per-campaign delivery rates
- Bounce details with error codes
- Authentication pass rates from their perspective
DMARC Reporting Services
Third-party DMARC reporting services aggregate RUA data into dashboards that show:
- All sources sending as your domain
- Authentication pass/fail rates per source
- Trends over time
- Alerts when new unauthorized sources appear
These services essentially give you the investigative power of forensic reports by intelligently processing aggregate data.
The Future of Forensic Reports
The IETF has been working on improving DMARC reporting to address the limitations of RUF reports. Future specifications may introduce:
- Privacy-preserving failure reports that don't expose recipient data
- Standardized redaction practices
- Better support for real-time alerting
Until these standards are finalized and adopted, aggregate reports plus manual investigation remain the practical approach for most organizations.