Blog article
- 8 minutes read
- Kiara Saloojee
- DMARC Enthusiast
DMARC Forensic Reports: What They Are and How To Use Them
DMARC forensic reports overview:
- DMARC forensic reports provide per-message detail on emails that fail DMARC authentication
- They differ from aggregate reports, which summarize all traffic over a set period
- Forensic reports may contain sensitive data – assess privacy obligations before enabling
ruf= - Use forensic reports alongside aggregate data, not as a replacement
DMARC forensic reports give security teams per-message visibility into emails that fail DMARC authentication. Where aggregate reports summarize authentication results across all traffic, DMARC forensic reports – also called RUF reports – provide details on individual failing messages.
That distinction matters when you need to investigate a specific spoofing attempt, diagnose a misconfigured sender, or build an audit trail for compliance purposes.
To receive forensic reports, add the ruf= tag to your DMARC record. This tag specifies the mailbox where receiving servers should send reports when a message fails DMARC.
See how Sendmarc gives your team unified visibility into DMARC authentication failures.
How DMARC Forensic Reports Work
When a receiving server detects a DMARC failure, it generates a per-message report and sends it to the address specified in your ruf= tag. DMARC forensic reports use the Abuse Reporting Format (ARF), an industry-standard format for reporting email abuse.
Each report can include:
- Message headers
- The sending address
- Authentication results (SPF and DKIM)
- Time of reception
- DKIM signature
- Sending host
- Subject line
- Message ID
The fo= tag controls when reports are generated:
| Tag value | When a report is sent |
|---|---|
fo=0 | Only when both SPF and DKIM fail |
fo=1 | When either SPF or DKIM fails |
fo=d | On DKIM failures only |
fo=s | On SPF failures only |
One important limitation: Not all receiving servers send DMARC forensic reports. Support is inconsistent across providers, and some major providers – including Gmail – don’t send RUF reports. This means forensic report data will never be complete. Use it alongside aggregate report data, not as a replacement for it.
DMARC Forensic Reports vs. Aggregate Reports
Understanding when to use each report type helps security teams get the most from their DMARC configuration.
| Report type | Trigger | Scope | Content | Best for |
|---|---|---|---|---|
| Aggregate reports | Time-based (typically every 24 hours) | All email traffic | Volume, pass/fail rates, sending sources | Ongoing monitoring and policy enforcement |
| Forensic reports | Per message failure | Individual failing messages | Headers, authentication results, message details | Investigating specific failures and spoofing attempts |
Aggregate reports are the primary tool for day-to-day visibility and policy enforcement. Forensic reports are most useful when aggregate data surfaces a problem, but doesn’t explain it.
You can configure both in a single DMARC record:
| Host | Type | Value |
|---|---|---|
_dmarc.yourdomain.com | TXT | v=DMARC1; p=reject; rua=mailto:[email protected]; f ruf=mailto:[email protected]; fo=1; |
Privacy Considerations for DMARC Forensic Reports
Forensic reports can contain sensitive message content, including headers, subject lines, and, in some cases, body text from emails that failed DMARC. This creates data handling obligations that vary by region and industry.
Organizations subject to GDPR or similar privacy regulations should assess whether enabling ruf= is appropriate before doing so. If forensic reports capture personal data from third-party emails, that data must be handled in line with the applicable law.
Before enabling forensic reporting:
- Confirm your legal basis for collecting and processing report data
- Ensure the reporting mailbox is access-controlled and appropriately secured
- Review your data retention obligations for report content
Note that some receiving servers redact sensitive fields – such as body content, which can reduce the privacy risk but also limit the detail available for investigation.
Acting on Forensic Report Data
DMARC forensic reports are most useful when treated as part of an investigation. They help you:
- Investigate unfamiliar sending IPs. If a forensic report includes a sending IP you don’t recognize, check whether it’s an unauthorized sender or a legitimate service that isn’t correctly configured. Unauthorized senders should be removed or blocked; legitimate senders need to be authorized in your SPF and DKIM configurations.
- Diagnose the authentication failure. The authentication results in each report show whether the failure was caused by SPF or DKIM issues, or both. This determines what needs to be fixed.
- Build audit trails. Forensic report data supports internal investigations and provides credible evidence to audit and risk committees.
Parsing and acting on forensic report data manually isn’t practical. A DMARC management platform parses and surfaces failure report data across all your domains, so your team can investigate faster.
Unified Visibility Into DMARC Reporting
DMARC forensic reports surface details that aggregate data alone can’t provide. They identify specific authentication failures and give security teams the visibility needed to investigate spoofing attempts, eliminate unauthorized senders, and support compliance reporting.
Managing forensic report data across multiple domains requires more than a reporting mailbox. Sendmarc’s DMARC Management solution gives teams unified visibility into authentication failures, sending sources, and DMARC compliance.
Sendmarc provides:
- Aggregate and forensic reporting in a single dashboard
- Identification of unauthorized or unknown email senders
- Continuous monitoring without increasing internal workload
- Audit trails to support compliance and governance requirements
See how Sendmarc gives your team unified visibility into DMARC reporting.