If you’re reading this, you’re probably familiar with DMARC reports. Or at least Aggregate Reports (RUA) which you receive when you implement DMARC. Aggregate reports are sent on a daily basis and contain incredibly useful info about emails sent from your domain that failed DMARC, SPF or DKIM authentication. You can see senders’ IP addresses, the number of emails and what day they were sent on, and lots more fun stuff. Check out our in-depth look at DMARC aggregate reports here.

But there’s another kind of report you might not have heard of, the less popular cousin of aggregate reports, so to speak. I’m talking about DMARC Forensic Reports (RUF), also known as Failure Reports. Although these serve, for the most part, the same role as aggregate reports, they’re very different in a lot of ways. Let me show you what I mean.

What Even Are Failure/Forensic Reports?

The best way to talk about RUF is to understand how they’re different from RUA. Aggregate reporting is meant to give you a general overview of the status of email in your domain, so you understand which of your emails and how many of them are having issues getting authenticated, as well as sending sources that may or may not be authorized.

Forensic reports do pretty much the same thing, but kicked into overdrive. Instead of sending a daily report with a summary of all emails that have authentication problems, forensic reports are sent for each individual email that fails DMARC validation. They function almost like a notification, and only contain details specific to that one email that caused the issue.

This goes way beyond the amount of information an aggregate report provides, and can greatly improve your chances of pinpointing the source of the problem as early and as accurately as possible. Learn more about forensic reports by clicking here.

Why Don’t Many Receivers Support Forensic Reports?

Many receiving servers don’t support sending forensic reports to the domain owner, which means that even if you have RUF enabled, you might not receive reports for all emails that fail authentication. There’s an important reasons for this:

Privacy concerns

Although forensic reports usually filter out almost all personally identifiable information from the email, some data like the email subject or recipient email address , which if revealed could be a breach of user privacy. Many email receivers are extremely exacting in what kinds of information from the email can be displayed in a report.

For more information regarding privacy with DMARC, check out our full breakdown on how PowerDMARC protects user privacy.

But that isn’t to say forensic reports aren’t an important resource for your email security strategy. With the amount of granular data they provide, they can offer incredible insight into what’s going on with your unauthenticated mail.

Why Does Forensic Report Data Matter?

While it might seem like forensic reports aren’t such a good idea after all, you’d be surprised at how useful they can be to help you figure out what’s going wrong with your emails. After all, the more data you have, the more accurately you’ll be able to diagnose the problem.

Forensic reports contain highly detailed information about the relevant email, including:

  • recipient email address
  • SPF and DKIM authentication results
  • time email was received
  • DKIM signature
  • email subject
  • email headers, including custom headers
  • host that sent the email
  • email message ID

All of these data points are like pieces of a puzzle, and by putting them together, you’ll be in a far better position to confidently determine the exact source of your email delivery issues. They offer an unprecedented amount of visibility into exactly who is threatening to compromise your domain, giving you a wealth of data to work with. The more data you have on your sending sources, especially malicious ones, the more capable your organization will be to take action against them by pinpointing the abusive IP and having it taken down or blacklisted.

PowerDMARC supports DMARC Forensic Reporting, as well as advanced privacy options like Forensic Report Encryption to keep any sensitive data completely safe.