DMARC produces two types of reports: aggregate reports (RUA) and forensic reports (RUF). Most senders are familiar with RUA — the daily XML summaries showing authentication pass/fail counts per sending source. RUF forensic reports are less well understood and, when enabled, contain individual message-level data showing exactly which messages failed DMARC and why. This guide covers what RUF reports contain, how to enable and parse them, and how to use forensic data to diagnose authentication failures that aggregate reports cannot fully explain.

RUA
Aggregate reports — daily XML summaries, sent by most ISPs
RUF
Forensic reports — per-message detail, sent only by some ISPs
Privacy
Many ISPs have stopped sending RUF due to GDPR concerns
ruf=mailto:
DMARC record tag that enables forensic report delivery

RUA vs RUF — Key Differences

RUA (aggregate) and RUF (forensic) reports serve different diagnostic purposes. Understanding when to rely on each prevents confusion when troubleshooting authentication failures.

PropertyRUA (Aggregate)RUF (Forensic)
FrequencyDaily (usually 00:00–23:59 UTC)Per-message — near real-time
ContentPass/fail counts by source IP and envelope domainFull message headers of the failing message
Sent byGmail, Yahoo, Microsoft, most major ISPsGmail (some), Yahoo (limited), few others
GDPR considerationsLow — no personal data in IP/domain countsHigh — contains From: address of recipient
Use caseIdentify new sending sources, track policy compliance rateDiagnose specific authentication failures
Volume1 report/day per reporting ISP1 report per failing message (can be high volume)
File formatXML (gzipped)Email (MIME, ARF-like format)

Enabling RUF Forensic Reports

RUF is enabled by adding the ruf= tag to your DMARC record. The value is an email address (or multiple addresses) where forensic reports will be delivered. Unlike RUA, RUF reports are not sent by all ISPs — Gmail sends them selectively, Microsoft does not send them at all, and many smaller ISPs have stopped sending them due to GDPR concerns about including recipient email addresses in reports.

DMARC record with both RUA and RUF configured
# Full DMARC record with aggregate and forensic reporting
_dmarc.yourdomain.com IN TXT "v=DMARC1; p=quarantine; pct=100; adkim=r; aspf=r; rua=mailto:dmarc-rua@yourdomain.com; ruf=mailto:dmarc-ruf@yourdomain.com; fo=1"

# Key parameters:
# ruf=mailto:    → forensic report destination
# fo=1           → generate forensic report on ANY auth failure (SPF or DKIM)
#                  fo=0 = only when all mechanisms fail (default, less useful)
#                  fo=1 = any failure (recommended for diagnosis)
#                  fo=d = DKIM failure only
#                  fo=s = SPF failure only

# Important: use a SEPARATE mailbox for RUF
# RUF volume can be high on large lists — do not mix with operational email
# Consider a dedicated processing mailbox: dmarc-ruf@yourdomain.com

# Verify the record after publishing:
# dig TXT _dmarc.yourdomain.com +short

What a RUF Forensic Report Contains

A RUF report arrives as an email with the subject line "Report Domain: yourdomain.com Submitter: google.com Report-ID: [id]". The body contains the full headers of the original message that failed DMARC, enough context to diagnose exactly why authentication failed.

RUF forensic report — structure and key fields (annotated)
From: noreply-dmarc-support@google.com
To: dmarc-ruf@yourdomain.com
Subject: Report Domain: yourdomain.com Submitter: google.com

MIME-Version: 1.0
Content-Type: multipart/report; report-type=feedback-report

--boundary-1
Content-Type: text/plain

This is an email abuse report for the following email message.

--boundary-2
Content-Type: message/feedback-report

Feedback-Type: auth-failure
Version: 1
User-Agent: Google; https://support.google.com/a/answer/2466580
Auth-Failure: dmarc                   ← SPF and DKIM both failed DMARC alignment
Delivery-Result: delivered            ← message was still delivered (p=none or quarantine)
Reported-Domain: yourdomain.com       ← your From: header domain
Source-IP: 203.0.113.55               ← sending IP that failed
Authentication-Results: mx.google.com;
       dkim=fail reason="signature verification failed";  ← DKIM failed
       spf=pass smtp.mailfrom=bounce.esp.com;             ← SPF passed but for ESP domain
       dmarc=fail (p=QUARANTINE) header.from=yourdomain.com  ← DMARC failed: SPF domain mismatch

--boundary-3
Content-Type: message/rfc822; charset=US-ASCII

# Original message headers (redacted recipient per some ISP policies):
Received: from mail.esp.com (203.0.113.55) by mx.google.com
From: Newsletter <newsletter@yourdomain.com>   ← From: is YOUR domain
DKIM-Signature: v=1; a=rsa-sha256; d=esp.com;  ← DKIM signed by ESP domain, not yours!
Return-Path: <bounce@bounce.esp.com>            ← Envelope sender is ESP's bounce domain

Diagnosing Authentication Failures from RUF Data

The example above is the single most common authentication failure pattern: SPF passes for the ESP's bounce domain, DKIM is signed by the ESP's domain rather than your domain, and DMARC fails because neither mechanism aligns with your From: header domain. The aggregate RUA report would show this as a simple "fail" — the forensic report shows exactly which sending source and which authentication mechanism caused it.

RUF showsRoot causeFix
dkim=fail "signature verification"DKIM key mismatch or key rotation without DNS updateVerify selector in DNS matches key in MTA config
dkim=pass d=esp.com, dmarc=failESP signing with their domain, not yoursConfigure custom DKIM domain at ESP level
spf=fail, dkim=pass (aligned)SPF failure but DKIM aligned — DMARC should passDMARC passes on DKIM alone; SPF failure is informational only here
Source-IP not in your SPFNew sending source not yet in SPF recordAdd IP to SPF record; check for authorised senders
Auth-Failure: dmarc, p=reject, Delivery-Result: rejectedDMARC rejection of unauthorised senderInvestigate if legitimate or phishing — if phishing, your p=reject is working

Tools for Processing RUF Reports

At low send volume, reading RUF reports manually is feasible. At any scale above 100K messages/month, you need automated processing. Several tools parse DMARC reports — most focus on RUA aggregate data, but some also handle RUF forensic reports.

▶ RUF processing options
1
Dmarcian, Valimail, EasyDMARC — Commercial DMARC processors that handle both RUA and RUF. All provide forensic report parsing and alerting on authentication failures. Recommended for organisations needing dashboards without building custom tooling.
2
mail-dmarc (Perl) or parsedmarc (Python) — Open-source tools for self-hosted DMARC report processing. mail-dmarc handles both RUA and RUF. Run on a server with a dedicated report mailbox and output to a database or dashboard of your choice.
3
Custom Python parser — For teams with specific processing needs, parsing RUF reports in Python is straightforward. The email module handles MIME parsing; extract the message/feedback-report part and parse the key headers. Archive to a database for trend analysis.