DMARC Forensic Report (RUF): What It Is, How It Works & How to Enable It
by
Last Updated: 9 min read
Key Takeaways
- A DMARC Forensic Report (RUF) is an immediate, detailed notification sent when an individual email fails SPF, DKIM, or DMARC authentication.
- Unlike aggregate reports (RUA) that come once a day, RUF reports arrive in real-time, offering granular data like subject lines and sender IPs.
- You must include the ruf= tag in your DMARC DNS record (e.g., ruf=mailto:[email protected]).
- Because these reports can contain sensitive info (PII), many providers (like Gmail) don’t send them. Using PowerDMARC with PGP encryption is the best way to handle this data securely.
- Use RUF to investigate specific spoofing attempts or to debug tricky configuration issues with third-party email tools.
Setting up a DMARC record is a massive win for your email security, but the real magic happens when you actually close the feedback loop. Think of it this way: when you publish that record, you aren’t just giving instructions to the rest of the internet on how to handle your mail; you’re asking every server in the world to report back to you.
Most people stop at the daily aggregate summaries, which are great for the “big picture,” but there’s a much deeper level of intel available if you know where to look. That’s where DMARC Forensic Reports (RUF) come into play. In this guide, we’re going to break down exactly what RUF reports are, how they differ from your standard data, and how you can use them to find the “smoking gun” when your emails go missing.
What Is a DMARC Forensic Report?
A DMARC Forensic Report (also called a Failure Report) is a detailed, real-time alert sent by receiving email servers when a message fails DMARC authentication. It gives detailed diagnostics on individual failed messages, such as authentication results, sending source, and message headers, so that the domain owner can investigate potential spoofing attempts and troubleshoot email authentication issues.
If an aggregate report is a summary of everyone who tried to enter a building, the forensic report is the high-resolution security footage of the one person who tried to pick the lock. It gives you the “nitty-gritty” details on why that specific message was flagged.
- Who’s sending it? Usually, it’s the receiving mail server (like a corporate gateway) that catches the suspicious email.
- Where does it land? It goes straight to whatever email you’ve listed in the ruf= tag of your DMARC record.
- What’s the vibe? Unlike those clunky XML aggregate files, these use the AFRF (Authentication Failure Reporting Format). It’s much more “human-readable” and packed with enough detail to help you actually solve the problem.
What Does a DMARC Forensic Report Contain?
Because RUF DMARC reports are designed for deep-dive troubleshooting, they contain specific metadata about the failed message that you won’t find in aggregate reports.
A typical RUF report includes:
- Sender IP Address: The exact IP that attempted to send the mail.
- From and Return-Path Addresses: The “Header From” and the envelope sender.
- Subject Line: The actual subject of the failed email.
- Authentication Results: Specific details on why SPF or DKIM failed and whether DMARC alignment was achieved.
- Mail Headers: The full feedback headers of the message.
Setting up a DMARC record is a massive win for your email security, but the real magic happens when you actually close the feedback loop. Think of it this way: when you publish that record, you aren’t just giving instructions to the rest of the internet on how to handle your mail; you’re asking every server in the world to report back to you.
Most people stop at the daily aggregate summaries, which are great for the “big picture,” but there’s a much deeper level of intel available if you know where to look. That’s where DMARC Forensic Reports (RUF) come into play. In this guide, we’re going to break down exactly what RUF reports are, how they differ from your standard data, and how you can use them to find the “smoking gun” when your emails go missing.
What Is a DMARC Forensic Report?
A DMARC Forensic Report (also called a Failure Report) is a detailed, real-time alert sent by receiving email servers when a message fails DMARC authentication. It gives detailed diagnostics on individual failed messages, such as authentication results, sending source, and message headers, so that the domain owner can investigate potential spoofing attempts and troubleshoot email authentication issues.
If an aggregate report is a summary of everyone who tried to enter a building, the forensic report is the high-resolution security footage of the one person who tried to pick the lock. It gives you the “nitty-gritty” details on why that specific message was flagged.
- Who’s sending it? Usually, it’s the receiving mail server (like a corporate gateway) that catches the suspicious email.
- Where does it land? It goes straight to whatever email you’ve listed in the ruf= tag of your DMARC record.
- What’s the vibe? Unlike those clunky XML aggregate files, these use the AFRF (Authentication Failure Reporting Format). It’s much more “human-readable” and packed with enough detail to help you actually solve the problem.
What Does a DMARC Forensic Report Contain?
Because RUF DMARC reports are designed for deep-dive troubleshooting, they contain specific metadata about the failed message that you won’t find in aggregate reports.
A typical RUF report includes:
- Sender IP Address: The exact IP that attempted to send the mail.
- From and Return-Path Addresses: The “Header From” and the envelope sender.
- Subject Line: The actual subject of the failed email.
- Authentication Results: Specific details on why SPF or DKIM failed and whether DMARC alignment was achieved.
- Mail Headers: The full feedback headers of the message.
- Personally Identifiable Information (PII): Because these reports can include subject lines and recipient addresses, they often contain PII.
Note on Privacy: Due to the inclusion of PII, many major mailbox providers have opted out of sending RUF reports to protect user privacy. At PowerDMARC, we address this by supporting PGP encryption for RUF reports, ensuring that sensitive data remains encrypted and accessible only to you.
Some receivers that do send RUF reports will redact (mask) the sensitive parts of the email body or subject line before sending it to you to comply with privacy laws. This is why some forensic reports look “empty” or have [REDACTED] strings in them.
DMARC Forensic Report Example
To really understand what’s happening under the hood, you have to look at the raw data. When an email fails, the receiver generates a report in AFRF format. It looks a bit technical, but it’s actually pretty easy to read once you know what to look for.
Feedback-Type: auth-failure
User-Agent: PowerDMARC-Reporter/1.0
Version: 1.0
Original-Mail-From: [email protected]
Arrival-Date: Tue, 31 Mar 2026 10:00:00 +0000
Message-ID: <[email protected]>
Authentication-Results: dkim=fail; spf=fail
Source-IP: 192.0.2.1
Reported-Domain: yourdomain.com
What this is telling you:
- Feedback-Type: This confirms it’s an authentication failure.
- Original-Mail-From: The specific address that attempted to send the mail.
- Authentication-Results: The “smoking gun.” In this case, both SPF and DKIM failed, which is why the report was triggered.
- Source-IP: This is the exact server address that sent the mail. If you don’t recognize this IP, someone might be spoofing you.
What the Record Looks Like in Your DNS
To get these reports, your DMARC record needs to look something like this:
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1;
Note: If you are sending reports to a domain different from your own, the destination domain must have a DNS record allowing it to receive your reports.
Breaking down the tags:
- v=DMARC1: Just the standard version tag so the internet knows what protocol you’re using.
- p=none: This is “monitoring mode.” You’re telling servers, “Let the mail through for now, but tell me if something goes wrong.”
- rua=: This is your mailbox for the big-picture, daily aggregate summaries.
- ruf=: This is the specific “forensic” tag that tells servers where to send the detailed, real-time failure alerts.
- fo=1: This is an important one. It tells the server to send a report if either SPF or DKIM fails. (If you don’t include this, some servers might only report back if both fail).
DMARC Forensic Report vs. Aggregate Report (RUF vs. RUA)
While both are enabled within the same record, they serve different masters. RUA is for the big picture; RUF is for the microscope.
| Feature | Forensic Report (RUF) | Aggregate Report (RUA) |
|---|---|---|
| Triggered by | Each individual email failure | Daily summary of all emails |
| Frequency | Real-time / Immediate | Once per day |
| Format | ARF (Abuse Reporting Format) Please note that AFRF (defined in RFC 6591) is the specific extension of ARF (RFC 5965) used for DMARC. | XML |
| Detail Level | Highly granular (per-email) | Domain-wide summary |
| Contains PII? | Potentially yes | No |
| Support | Limited (Privacy concerns) | Broadly supported |
| Best Used For | Incident investigation, spoofing detection | Ongoing monitoring, trend analysis |
How to Enable DMARC Forensic Reports
Enabling RUF is a straightforward process involving a quick update to your DNS settings.
1. Access DNS: Log into your DNS management console.
2. Find your DMARC Record: Locate the TXT record at _dmarc.yourdomain.com.
3. Add the RUF Tag: Insert the ruf=mailto:[email protected] tag.
4. Configure the FO Tag: Define your reporting triggers (see the next section).
5. Save and Propagate: Save the changes. It can take up to 48 hours for DNS changes to propagate globally.
Pro-Tip: Sending RUF reports to a standard inbox can be overwhelming and poses a security risk. Using a platform like PowerDMARC allows you to visualize this data in a clean dashboard without cluttering your mail.
Understanding the DMARC fo Tag (Forensic Options)
The fo tag is a sub-component of the DMARC record that tells the receiver when you want a forensic report generated.
| fo Value | Meaning |
|---|---|
| fo=0 (Default) | Generate a report only if both SPF and DKIM fail. |
| fo=1 | Generate a report if either SPF or DKIM fails. (Recommended) |
| fo=d | Generate a report only if DKIM fails. |
| fo=s | Generate a report only if SPF fails. |
Most security professionals use fo=1 because it provides the highest level of visibility into any authentication hiccup. But please note that while fo=1 is best for visibility, it should almost always be sent to a dedicated processing tool (like PowerDMARC) rather than a human inbox, or the “noise” will become unmanageable.
Why You Might Not Be Receiving DMARC Forensic Reports
If you’ve enabled RUF but your inbox is empty, don’t panic. This doesn’t necessarily mean your record is broken.
1. Privacy Restrictions: Major providers like Gmail and Microsoft 365 generally do not send RUF reports to protect their users’ privacy.
2. Success is Silent: If all your emails are passing DMARC authentication, there are no failures to report!
3. Receiver Support: Not all receiving mail servers are configured to generate forensic reports.
This is why Aggregate RUA reports are considered the “source of truth” for overall domain health, while RUF is a supplemental tool for specific investigations.
Privacy and Security Concerns
Because RUF reports can contain the subject line and body of an email, they are subject to strict data privacy regulations like GDPR and CCPA. If an attacker spoofs your domain to send a phishing email to a private individual, the forensic report you receive might contain that individual’s private data.
Best Practices:
- Use a dedicated, secure reporting platform.
- Enable PGP Encryption: PowerDMARC offers PGP encryption so that only you, the holder of the private key, can view the contents of the RUF reports.
- Limit data access to your core security team.
How to Use RUF Reports to Detect Spoofing and Fix Failures
Once you start receiving forensic data, here is how to act on it:
1. Detecting Domain Spoofing
If you see a forensic report from an IP address you don’t recognize, and the “From” address is your domain, you’ve likely caught a spoofing attempt in progress. You can use this IP to update blocklists or inform your security operations center.
2. Fixing Legitimate Failures
Sometimes your own legitimate mail fails. If a report shows a failure from a tool you use (like Salesforce or Mailchimp), check the report to see if DKIM failed or if the IP simply wasn’t added to your SPF record.
3. Investigation Workflow
1. Identify the Source IP in the RUF report.
2. Verify: Is this a tool your company uses?
3. Remediate: If authorized but failing, fix the SPF/DKIM alignment. If unauthorized, let your DMARC policy, be it p=quarantine or p=reject, do its job.
The Bottom Line
Look at it this way: if DMARC aggregate RUA reports are your monthly bank statement, Forensic RUF Reports are the individual receipts for every suspicious transaction. They aren’t perfect, mostly because the big players like Gmail prioritize user privacy over sending these out, but when you do get them, they are gold for troubleshooting.
If you’re trying to figure out why a specific marketing tool is acting up, or if you’re under a targeted spoofing attack, these reports give you the “who, what, and where” in real-time. Just make sure you’re handling that data responsibly, ideally with a platform that keeps things encrypted so you aren’t sitting on a pile of sensitive PII.
Want to see your forensic data without the headache? PowerDMARC makes this easy by translating raw RUF data into a readable dashboard, complete with PGP encryption to keep your data secure and compliant. Start your 15-day free trial today and get full visibility into your email ecosystem.
Frequently Asked Questions
What exactly is a DMARC forensic report?
It’s basically a real-time alert. Instead of waiting for a daily summary, a forensic report is triggered the second an individual email fails its DMARC check. It’s super detailed and meant for a deep-dive investigation.
How is RUF different from RUA?
RUA is your “big picture” daily digest; it tells you trends and volumes in XML format. RUF is the granular “micro” view; it’s sent immediately, uses the ARF format, and contains specific details about one single failed message.
How do I actually turn these reports on?
You’ll need to edit your DMARC record in your DNS settings. Just add the ruf=mailto:[email protected] tag. If you want to be extra thorough, add the fo=1 tag so you get a report if either SPF or DKIM fails, rather than waiting for both to break.
I set up RUF but I’m not getting anything. Is it broken?
Probably not. Most likely, your emails are passing authentication just fine (which is good!). Also, keep in mind that many big providers don’t send RUF reports at all to protect their users’ privacy. If your RUA reports are coming through, your record is likely working.
Is there personal data hidden in these reports?
Yes, and that’s the tricky part. Forensic reports can include the email subject line, the recipient’s address, and sometimes even a snippet of the message body. This is why it’s a good idea to use a secure platform to manage them so you stay on the right side of privacy laws like GDPR.
What does the ‘fo’ tag do?
It stands for “Forensic Options.” It’s basically a set of instructions telling the receiver exactly when to trigger a report, whether you only want one when everything fails (fo=0) or if you want a report the moment any part of the authentication process slips up (fo=1).
Content Specialist at PowerDMARC
Milena is a skilled writer and content creator with 7+ years of experience in crafting engaging content on IT, cybersecurity, virtual events, and more. She has a proven track record of delivering high-quality work for international magazines and is a graduate of prestigious institutions such as New York University Abu Dhabi, UWC China, and the College of Europe.
Latest posts by Milena Baghdasaryan (see all)
