DMARC Forensic (RUF) Reports

What are DMARC Failure/Forensic Reports (RUF)? 

DMARC Failure forensic reports are generated when outgoing emails sent from your domain do not align with SPF or DKIM, thereby failing DMARC authentication on your receiver’s end. DMARC forensic reports are thereby important to analyze and detect domain spoofing activities and attempts at brand impersonation by fraudsters. 

When are DMARC Forensic Reports generated? 

If you have DMARC enabled for your domain, a DMARC forensic report will be sent whenever your emails fail DMARC authentication on your receiver’s end. It usually highlights a forensic incident such as an unauthorized IP trying to spoof your domain. 

How to start receiving DMARC RUF Reports?

In order to start receiving Forensics Reports in your inbox, you need to modify your DMARC record to include a RUF:

tag: ruf=mailto:[email protected]

Record Example: v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=0:1:d:s;

NOTE: DMARC Forensic Reports occasionally contain information from the body of the email itself, potentially revealing some sensitive and private information. To mitigate this, you should encrypt your RUF Reports with a private key.

Why don’t some domain owners receive DMARC Forensic Reports?

If you haven’t received any DMARC forensic reports it can be because not all receivers support DMARC forensic reports. However, if you have it enabled for your domain and still have not received any reports, it just means that all your outbound emails have been DMARC authenticated and approved, and have been 100% DMARC compliant (successfully aligned against SPF/DKIM). Your domain has been safe from spoofing activities so far, so as not to trigger any forensic incident.