What is DMARC Forensic Reporting (RUF)?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You've set up DMARC and you're getting aggregate reports (RUA) showing a percentage of messages failing. Great. But aggregate reports only tell you how many messages failed and from which IP. They don't tell you which specific message failed or exactly why. That's where forensic reports (RUF) come in.

DMARC Forensic Reporting (RUF) is a type of DMARC feedback where mailbox providers send you a detailed report for each individual message that fails your DMARC policy. Unlike aggregate reports, which give you a summary across all sending, forensic reports show you the actual message headers and (sometimes) partial content from a single failed email.

Think of it this way. Aggregate reports are your monthly summary statement. Forensic reports are the individual transaction receipts. Both matter, but for different jobs.

What forensic reports are actually useful for:

  • Pinpointing exactly why a specific message failed (SPF misalignment? DKIM signature missing? Both?)
  • Spotting forwarding scenarios that break alignment, like when a mailing list re-sends your email and strips the DKIM signature
  • Catching misconfigured legitimate senders who are sending on behalf of your domain without the right setup
  • Identifying phishing or spoofing attempts that are using your domain name

That last one is worth pausing on. If someone is spoofing your domain to send phishing emails, a forensic report can give you the actual message headers from that attack. That's real evidence you can use to understand the scope and source of the problem.

That said, RUF has some real limitations you should know about before you get too excited.

First, not all mailbox providers send forensic reports. Gmail stopped sending them years ago due to privacy concerns. You'll get them from some providers, but don't expect full coverage.

Second, privacy rules in some regions (hello, GDPR) mean that providers often strip or redact message content before sending the report. So you might get headers but not the full picture.

Third, if you're sending at high volume, forensic reports can get overwhelming fast. A 1% failure rate on a million-email send is 10,000 individual reports. Most senders rely on aggregate reports day-to-day and only turn to forensic data when something specific needs investigating.

To enable RUF, you add a ruf= tag to your DMARC record pointing to an email address or reporting service that can receive and parse them. It looks something like ruf=mailto:dmarc-forensic@yourdomain.com. (Most senders use a third-party DMARC reporting tool rather than a raw inbox, since parsing these by hand is not fun.)

If you want to check how your current DMARC record is set up, our free DMARC Parser will read your record and flag anything that looks off. And if you're seeing unexplained failures and want a second set of eyes, the SOS hotline is free.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me decide if I need DMARC forensic reports

I'm setting up DMARC forensic reporting (RUF) for my domain. Based on my sending setup, help me decide whether I actually need RUF or if aggregate reports are enough. Ask me: (1) my approximate monthly send volume, (2) whether I'm seeing unexplained DMARC failures right now, (3) whether I have a third-party tool to parse forensic reports, and (4) whether I'm concerned about phishing or spoofing on my domain. Then tell me whether to enable RUF, skip it, or enable it with caveats.

Edit the yellow boxes, then send to the AI of your choice.