RUA vs. RUF: A Complete Guide to DMARC Reporting
by
Last Updated:
6 min read
Key Takeaways
- DMARC provides visibility into email activity, helping to secure domains against spoofing and phishing.
- RUA reports document aggregate data on email authentication failures, aiding in the identification of fraudulent activity.
- RUF reports offer forensic-level details that help uncover vulnerabilities in the email system.
- Implementing DMARC is essential for instructing recipient servers on handling emails that fail authentication checks.
- Refining email authentication policies based on RUA and RUF reports improves overall email security over time.
DMARC reports are how you see what is actually happening with your email. Without them, you are implementing authentication policies blindly.
There are two types: RUA aggregate reports, which give you a daily overview of your domain’s email traffic, and RUF forensic reports, which fire in real time when individual emails fail authentication.
Knowing the difference between DMARC RUA and RUF, what each contains, and when to use them is essential for anyone working toward full DMARC enforcement.
DMARC Tags and Their Roles
Before diving into RUA and RUF reports, it’s essential to understand how DMARC tags work within your DMARC record.
DMARC records contain several key tags that control different aspects of email authentication and reporting:
- v=DMARC1: Specifies the DMARC version
- p=: Sets the policy for your domain (none, quarantine, or reject)
- rua=: Specifies where to send aggregate (RUA) reports
- ruf=: Specifies where to send forensic (RUF) reports
- sp=: Sets the policy for subdomains
The RUA and RUF tags are crucial for receiving the reports that help you monitor and improve your email authentication setup.
What Are DMARC RUA Reports?
DMARC RUA reports, or aggregate reports, are the foundation of any effective DMARC implementation. They are generated by recipient mail servers and sent to the address specified in the RUA tag of your DMARC record, typically once every 24 hours.
What RUA reports contain
RUA reports provide a summary of all email authentication results for your domain over the reporting period. They include:
- IP addresses of all servers that sent email using your domain
- Volume of messages sent from each IP address
- SPF and DKIM authentication results for each source
- DMARC policy applied and the outcome for each message group
- Domain alignment results
Critically, RUA reports provide all of this without exposing any personally identifiable data or sensitive information about the emails themselves. This makes them safe to use from a privacy and compliance perspective.
What RUA reports are used for
| Use case | How RUA helps |
|---|---|
| Identifying all legitimate senders | Shows every IP sending mail under your domain |
| Spotting unauthorized sources | Flags IP addresses not in your SPF email record or DKIM setup |
| Monitoring authentication pass rates | Shows what percentage of mail is passing SPF, DKIM, and DMARC |
| Refining email authentication policies | Provides the data needed to adjust SPF and DKIM configuration |
| Moving toward enforcement | Confirms all legitimate sources are authenticated before tightening policy |
Monitoring RUA reports is essential for safely moving from a p=none monitoring policy to active enforcement at p=quarantine or p=reject. Without this data, tightening your DMARC policy risks blocking legitimate email.
How to enable RUA reporting
To receive aggregate reports, include the RUA tag in your DMARC record with a valid email address: v=DMARC1; p=none; rua=mailto:[email protected];
You can specify multiple addresses as a comma separated list.
You can also allow an external domain to receive aggregate reports by specifying it in the RUA tag, provided that external domain publishes a DNS record granting permission.
What Are DMARC RUF Reports?
DMARC RUF reports, or forensic reports, are generated and sent immediately after an individual email fails DMARC authentication. Unlike RUA reports, which summarize traffic in aggregate, RUF reports provide detailed information about each specific failure.
What RUF reports contain
RUF reports can include:
- Full email headers
- Subject line of the failed message
- URLs contained in the message body
- Attachment information
- Sending IP address and authentication failure reason
- Potentially sensitive content from the message body itself
This level of detail makes RUF reports powerful for forensic investigation, but it also introduces significant privacy considerations.
When RUF reports are useful
RUF reports are best suited for:
- Debugging specific authentication failures that are difficult to diagnose from aggregate data alone
- Investigating active phishing or spoofing attacks using your domain
- Identifying unauthorized IP addresses sending fraudulent messages under your domain name
The privacy challenge with RUF
Because RUF reports can contain personally identifiable data and sensitive information from real email messages, many organizations choose not to request them at all.
Privacy regulations in various jurisdictions may restrict the collection and storage of this data, and major email providers have varying levels of support for sending forensic reports.
For most organizations, RUA aggregate reports provide sufficient data for effective DMARC implementation without the privacy and compliance risks that RUF introduces.
Simplify RUA vs. RUF Reports
No credit card required. Get actionable DMARC insights in minutes. |
DMARC RUA vs. RUF: Key Differences
Here is a direct comparison of both report types across the dimensions that matter most for DMARC implementation.
| RUA (Aggregate) | RUF (Forensic) | |
|---|---|---|
| Frequency | Daily | Real-time, per failure |
| Content | Aggregated statistics across all email traffic | Detailed data on individual failed messages |
| Sensitive data | No personally identifiable data | May contain sensitive information including headers, subject lines, URLs |
| Privacy risk | Low | High |
| Provider support | Widely supported | Not supported by all major providers |
| Primary use | Monitoring, policy refinement, enforcement planning | Debugging specific failures, forensic investigation |
| Required for DMARC | No, but strongly recommended | No, and optional for most organizations |
| XML format | Yes | Yes |
Which one should you use?
For most organizations, RUA aggregate reports are the right starting point and the primary tool throughout the entire DMARC implementation process. They provide everything needed to identify sending sources, track authentication results, and move safely toward enforcement.
RUF forensic reports are situational. If your organization has specific forensic needs, such as actively investigating a spoofing campaign or debugging a persistent authentication failure that is not visible in aggregate data, RUF adds value.
Otherwise, the privacy concerns and limited provider support make RUF an optional add-on rather than a core requirement.
Suggested read: How To Read DMARC Reports (Aggregate vs. Forensic)
How to Set Up DMARC Reporting
Setting up DMARC reporting is one of the first things you should do when implementing DMARC. Without report tags in your record, you are running blind. Here is how to get it right from the start.
Setting up your DMARC record with reporting tags
A DMARC record with both RUA and RUF tags looks like this:
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected];
| Tag | Purpose | Required? |
|---|---|---|
| rua= | Specifies where aggregate reports are sent | Recommended |
| ruf= | Specifies where forensic reports are sent | Optional |
Both tags accept a comma separated list of addresses, so you can route reports to multiple mailboxes if needed.
You can also allow an external domain to receive aggregate reports by specifying it in the RUA tag, as long as that external domain publishes a DNS record granting permission.
Using DMARC Reports to Reach Enforcement
DMARC implementation is an iterative process, and RUA aggregate reports are what make it possible to move through each policy stage without disrupting legitimate email delivery.
The goal is to reach p=reject, and your reports are the roadmap.
The enforcement journey
| Stage | Policy | What to do with your reports |
|---|---|---|
| Monitoring | p=none | Identify all sending sources, confirm SPF and DKIM are passing for each one |
| Soft enforcement | p=quarantine | Verify no legitimate sources are failing before moving further |
| Full enforcement | p=reject | Confirm only unauthorized senders are being blocked |
Once your RUA reports consistently show that all legitimate sources are passing authentication, shifting your DMARC policy from p=none to p=quarantine and then to p=reject becomes a data-driven decision rather than a leap of faith.
Skipping or rushing through the monitoring phase is the most common reason organizations accidentally block their own email when tightening policy. Your aggregate reports exist precisely to prevent that.
What to look for in your reports before moving to enforcement
- All known sending sources are visible and passing SPF and DKIM authentication
- No legitimate IP addresses are appearing as unauthorized
- Authentication failure rates are low and attributable to known issues
- No unexpected third-party senders are using your domain
PowerDMARC’s DMARC analyzer surfaces all of this in one place, making it straightforward to track progress toward enforcement across your entire email infrastructure.
Additionally, PowerDMARC’s DMARC report analyzer offers a deeper look into your authentication data. It breaks down aggregate and forensic reports into clear, actionable insights. This way, you always know exactly where your domains stand.
For organizations managing email authentication across multiple domains, hosted DMARC centralizes report management and policy control, so nothing falls through the cracks.
Make Sense of Your DMARC Reports With PowerDMARC
DMARC RUA and RUF reports are only valuable if you can actually interpret them. Raw XML files are hard to read, easy to misinterpret, and offer no clear path forward on their own.
PowerDMARC transforms your aggregate and forensic report data into clear, actionable dashboards. They show exactly who is sending email on your behalf, what is passing and failing, and what needs to change before you can safely reach enforcement.
From your first p=none record to full p=reject enforcement, PowerDMARC gives you the visibility and tooling to get there without guesswork.
“PowerDMARC made DMARC reporting effortless for our IT team. The insights are clear and actionable.” – CIO, Large Retailer
Get started with PowerDMARC today.
FAQs
1. What is the difference between RUA and RUF in DMARC?
RUA reports provide aggregate data about email authentication results sent daily, while RUF reports offer forensic details about individual failed emails sent in real-time. RUA reports are used for monitoring trends, while RUF reports are used for investigating specific threats.
2. What is the RUA tag in a DMARC record?
The RUA tag specifies the email address where aggregate reports should be sent. It’s formatted as “rua=mailto:[email protected]” and tells receiving mail servers where to send daily summary reports of DMARC authentication results.
3. Is the RUA tag required for DMARC to work?
No, the RUA tag is optional for basic DMARC functionality. However, it’s highly recommended because without it, you won’t receive reports about your email authentication performance, making it difficult to monitor and improve your DMARC implementation.
4. How often are RUA and RUF reports sent?
RUA reports are typically sent daily by receiving mail servers, containing aggregated data from the previous 24 hours. RUF reports are sent immediately when an authentication failure occurs, providing real-time forensic information about individual failed emails.
5. Can I receive both RUA and RUF reports for the same domain?
Yes, you can configure both RUA and RUF reporting in your DMARC record. Many organizations use both types: RUA reports for ongoing monitoring and trend analysis, and RUF reports for detailed investigation of specific authentication failures or security incidents.
Domain & Email Security Expert at PowerDMARC
Ahona is the Marketing Manager at PowerDMARC, with 5+ years of experience in writing about cybersecurity topics, specializing in domain and email security. Ahona holds a post-graduation degree in Journalism and Communications, solidifying her career in the security sector since 2019.
Latest posts by Ahona Rudra (see all)
