Home/ Glossary/ DMARC Forensic Reports (ruf)

DMARC Forensic Reports (ruf) (DMARC Forensic Reports)

Security Glossary - Email Authentication

Definition: DMARC forensic reports (ruf) are detailed reports about individual emails that fail DMARC authentication. Unlike aggregate reports that provide statistics, forensic reports include information about specific failed messages including headers and sometimes message content. They are configured via the ruf tag in the DMARC record.

The Importance of DMARC Forensic Reports

Forensic reports provide granular detail about DMARC failures that aggregate reports do not. While an aggregate report tells you that 50 emails from a certain IP failed DMARC, a forensic report shows the actual headers of those messages - revealing what the From, Return-Path, and Subject were, and exactly which authentication checks failed.

This detail is valuable for diagnosing authentication problems. If a legitimate email service is failing DMARC, forensic reports show exactly which messages are affected and why. They also help identify targeted phishing campaigns by showing the content of spoofed messages.

However, forensic reports have significant limitations. Many major email providers (including Google) do not send them due to privacy concerns - the reports can contain personal data from email headers and content. Microsoft sends redacted forensic reports. Because of this inconsistency, aggregate reports (rua) are the primary source of DMARC data, and forensic reports (ruf) are a supplementary tool.

Testing Your Configuration

Add a ruf tag to your DMARC record: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com. Note that many receivers will not send forensic reports regardless of this configuration.

See how your site handles DMARC Forensic Reports

Check DNS Health

DMARC Forensic Reports FAQ

Will I receive forensic reports from Gmail?
No. Google does not send DMARC forensic reports due to privacy concerns. Microsoft sends redacted reports (with recipient information removed). Smaller email providers may send full forensic reports. Rely primarily on aggregate reports for DMARC monitoring.
Are forensic reports a privacy risk?
They can be, since they may contain email headers and content. This is why many providers do not send them. If you enable ruf, ensure the receiving mailbox is secured and access is limited to authorized personnel.

Related Concepts

Domain-based Message Authentication, Reporting and Conformance DMARC Aggregate Reports (rua) DMARC Policy Types Email Spoofing Phishing
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.