DMARC produces two types of reports: aggregate reports (RUA) and forensic reports (RUF). Most senders are familiar with RUA — the daily XML summaries showing authentication pass/fail counts per sending source. RUF forensic reports are less well understood and, when enabled, contain individual message-level data showing exactly which messages failed DMARC and why. This guide covers what RUF reports contain, how to enable and parse them, and how to use forensic data to diagnose authentication failures that aggregate reports cannot fully explain.
RUA vs RUF — Key Differences
RUA (aggregate) and RUF (forensic) reports serve different diagnostic purposes. Understanding when to rely on each prevents confusion when troubleshooting authentication failures.
| Property | RUA (Aggregate) | RUF (Forensic) |
|---|---|---|
| Frequency | Daily (usually 00:00–23:59 UTC) | Per-message — near real-time |
| Content | Pass/fail counts by source IP and envelope domain | Full message headers of the failing message |
| Sent by | Gmail, Yahoo, Microsoft, most major ISPs | Gmail (some), Yahoo (limited), few others |
| GDPR considerations | Low — no personal data in IP/domain counts | High — contains From: address of recipient |
| Use case | Identify new sending sources, track policy compliance rate | Diagnose specific authentication failures |
| Volume | 1 report/day per reporting ISP | 1 report per failing message (can be high volume) |
| File format | XML (gzipped) | Email (MIME, ARF-like format) |
Enabling RUF Forensic Reports
RUF is enabled by adding the ruf= tag to your DMARC record. The value is an email address (or multiple addresses) where forensic reports will be delivered. Unlike RUA, RUF reports are not sent by all ISPs — Gmail sends them selectively, Microsoft does not send them at all, and many smaller ISPs have stopped sending them due to GDPR concerns about including recipient email addresses in reports.
# Full DMARC record with aggregate and forensic reporting _dmarc.yourdomain.com IN TXT "v=DMARC1; p=quarantine; pct=100; adkim=r; aspf=r; rua=mailto:dmarc-rua@yourdomain.com; ruf=mailto:dmarc-ruf@yourdomain.com; fo=1" # Key parameters: # ruf=mailto: → forensic report destination # fo=1 → generate forensic report on ANY auth failure (SPF or DKIM) # fo=0 = only when all mechanisms fail (default, less useful) # fo=1 = any failure (recommended for diagnosis) # fo=d = DKIM failure only # fo=s = SPF failure only # Important: use a SEPARATE mailbox for RUF # RUF volume can be high on large lists — do not mix with operational email # Consider a dedicated processing mailbox: dmarc-ruf@yourdomain.com # Verify the record after publishing: # dig TXT _dmarc.yourdomain.com +short
What a RUF Forensic Report Contains
A RUF report arrives as an email with the subject line "Report Domain: yourdomain.com Submitter: google.com Report-ID: [id]". The body contains the full headers of the original message that failed DMARC, enough context to diagnose exactly why authentication failed.
From: noreply-dmarc-support@google.com
To: dmarc-ruf@yourdomain.com
Subject: Report Domain: yourdomain.com Submitter: google.com
MIME-Version: 1.0
Content-Type: multipart/report; report-type=feedback-report
--boundary-1
Content-Type: text/plain
This is an email abuse report for the following email message.
--boundary-2
Content-Type: message/feedback-report
Feedback-Type: auth-failure
Version: 1
User-Agent: Google; https://support.google.com/a/answer/2466580
Auth-Failure: dmarc ← SPF and DKIM both failed DMARC alignment
Delivery-Result: delivered ← message was still delivered (p=none or quarantine)
Reported-Domain: yourdomain.com ← your From: header domain
Source-IP: 203.0.113.55 ← sending IP that failed
Authentication-Results: mx.google.com;
dkim=fail reason="signature verification failed"; ← DKIM failed
spf=pass smtp.mailfrom=bounce.esp.com; ← SPF passed but for ESP domain
dmarc=fail (p=QUARANTINE) header.from=yourdomain.com ← DMARC failed: SPF domain mismatch
--boundary-3
Content-Type: message/rfc822; charset=US-ASCII
# Original message headers (redacted recipient per some ISP policies):
Received: from mail.esp.com (203.0.113.55) by mx.google.com
From: Newsletter <newsletter@yourdomain.com> ← From: is YOUR domain
DKIM-Signature: v=1; a=rsa-sha256; d=esp.com; ← DKIM signed by ESP domain, not yours!
Return-Path: <bounce@bounce.esp.com> ← Envelope sender is ESP's bounce domain
Diagnosing Authentication Failures from RUF Data
The example above is the single most common authentication failure pattern: SPF passes for the ESP's bounce domain, DKIM is signed by the ESP's domain rather than your domain, and DMARC fails because neither mechanism aligns with your From: header domain. The aggregate RUA report would show this as a simple "fail" — the forensic report shows exactly which sending source and which authentication mechanism caused it.
| RUF shows | Root cause | Fix |
|---|---|---|
| dkim=fail "signature verification" | DKIM key mismatch or key rotation without DNS update | Verify selector in DNS matches key in MTA config |
| dkim=pass d=esp.com, dmarc=fail | ESP signing with their domain, not yours | Configure custom DKIM domain at ESP level |
| spf=fail, dkim=pass (aligned) | SPF failure but DKIM aligned — DMARC should pass | DMARC passes on DKIM alone; SPF failure is informational only here |
| Source-IP not in your SPF | New sending source not yet in SPF record | Add IP to SPF record; check for authorised senders |
| Auth-Failure: dmarc, p=reject, Delivery-Result: rejected | DMARC rejection of unauthorised sender | Investigate if legitimate or phishing — if phishing, your p=reject is working |
Tools for Processing RUF Reports
At low send volume, reading RUF reports manually is feasible. At any scale above 100K messages/month, you need automated processing. Several tools parse DMARC reports — most focus on RUA aggregate data, but some also handle RUF forensic reports.