What is the ruf tag in DMARC (forensic reports)?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

The ruf= tag in your DMARC record tells supporting mailbox providers where to send forensic reports when a message fails DMARC. Unlike aggregate reports (which come once a day and summarize volume), forensic reports are sent per-failure, in near real-time.

Each forensic report contains a sample of the failing message: headers, authentication results, and sometimes redacted body content. The idea is that when something fails DMARC, you can look at the actual message to understand why.

Adding it looks like this: ruf=mailto:dmarc-forensic@yourdomain.com. You can combine it with an aggregate report address: rua=mailto:reports@yourdomain.com; ruf=mailto:failures@yourdomain.com.

Honest caveats about RUF:

Many major providers, including Gmail, no longer send forensic reports due to privacy concerns. The content could include personal information from the failed message, and providers have moved away from enabling it by default. In practice, you may configure ruf= and receive very few or no reports, depending on which providers your recipients use.

There's also volume risk: if you have significant authentication failures happening, you could receive a lot of forensic reports rapidly. The fo= tag controls when forensic reports are generated (on every failure, only DKIM failures, only SPF failures, etc.), which helps manage the volume.

For most senders, aggregate reports (RUA) are more useful day-to-day. They give you trend data and source visibility. Forensic reports are useful when you're actively debugging a specific failure and want to see what individual failing messages look like. But don't rely on them as your primary monitoring tool since many providers don't send them.

Both RUA and RUF only work if your DMARC record is configured and valid. Our free DMARC parser can help you validate your record and parse any reports you do receive.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get guidance on DMARC forensic reporting for your specific setup.

I read this on the Email Almanac about the ruf= tag in DMARC. My situation: I am / am not receiving forensic reports. My DMARC record includes ruf= / doesn't have ruf=. I want to understand [describe e.g., "why I'm not getting forensic reports despite having ruf= configured" or "whether I should add ruf= to my DMARC record" or "how to use the reports I am receiving to debug a specific failure"].

Edit the yellow boxes, then send to the AI of your choice.