DMARC Failure (RUF) Reports
What are DMARC Failure Reports (RUF)?
DMARC failure reports, historically known as forensic reports, are generated when a message using your domain fails DMARC authentication on the receiver's end (that is, it fails to produce an SPF or DKIM result aligned with your domain). This includes both legitimate mail of yours that is misconfigured and fraudulent mail sent by someone spoofing your domain. Failure reports are therefore valuable for analysing and detecting domain spoofing and brand impersonation attempts. With the publication of RFC 9991 in May 2026, failure reporting has its own dedicated specification, and "failure report" is now the formal term.
When are DMARC Failure Reports generated?
If you have failure reporting enabled, a report is generated almost immediately after a receiver detects a DMARC failure for a message using your domain, rather than waiting for the daily aggregate report. Failure reports contain more detail about the individual failed message than aggregate reports do, which helps you tell whether the failure came from mail you intended to send or from an unauthorized party spoofing your domain.
What format are DMARC Failure Reports in?
DMARC failure reports are sent in the Abuse Reporting Format (ARF),a standard email-based format defined for reporting authentication failures. This has always been the underlying format, but RFC 9991 now specifies it formally and tightens what each report must contain, which makes reports more consistent across the receivers that still send them.
A DMARC failure report is itself an email, and it carries a set of ARF header fields describing the failure. Under RFC 9991, the key fields include:
- Identity-Alignment (required): a comma-separated list of the authentication mechanisms (dkim, spf) that failed to produce an aligned result, or the value "none" if all of them aligned successfully. This tells you at a glance what went wrong.
- DKIM-Domain, DKIM-Identity, and DKIM-Selector (required when reporting a DKIM failure of an aligned identifier): these identify the signing domain, identity, and selector involved, giving you precise visibility into which DKIM key was at play.
- SPF-DNS (required when reporting an SPF failure of an aligned identifier): records the relevant SPF lookup detail.
- Auth-Failure (with the failure type set to dmarc): RFC 9991 introduced "dmarc" as a formal failure type, used when a report is generated specifically because authentication failed to produce an aligned identifier, as opposed to the underlying SPF or DKIM check failing on its own.
Alongside these fields, a report typically includes as much of the original message's headers, and sometimes its body, as the receiver's privacy policy allows, so you can diagnose the failure. Because that content can include personally identifiable information, RFC 9991 also expects report generators to apply redaction, rate limiting, and secure transport, which is one reason many large providers limit or disable failure reporting entirely.
How to start receiving DMARC RUF Reports
To start receiving failure reports, you need to modify your DMARC record to include a ruf tag:
tag: ruf=mailto:[email protected]
Record Example: v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=0:1:d:s;
NOTE: Failure reports can contain header fields and sometimes the entire body of a failed message, which may include personally identifiable information (PII). RFC 9991 places strong emphasis on this, recommending redaction of sensitive data, secure transport, and rate limiting when generating reports. As a domain owner you should weigh these privacy implications before requesting failure reports, and where possible protect the reports you receive, for example by encrypting them.
Why don't some domain owners receive DMARC Failure Reports?
If you have failure reporting enabled but receive few or no reports, the most common reason is simply that most major mailbox providers, including Google, Microsoft, and Yahoo, no longer send failure reports at all, largely due to the privacy concerns above. Receiving no failure reports does NOT mean your domain is safe from spoofing or that all your mail is compliant. To understand your actual authentication and spoofing picture, you should rely on aggregate (RUA) reports, which nearly all receivers do send and which give you a complete view of pass and fail activity across your domain.
What is SPF? Free2 m
Video Introduction to SPF Free1 m 41 s- A Brief History of SPF Free1 m
- How does SPF work? Free2 m
- SPF Tags: Syntax of an SPF Record Free3 m
- SPF Null Value Explained Free3 m
- SPF Neutral Mechanism Explained Free4 m
- How to create and publish SPF records? Free2 m
- SPF Authentication Failures Free3 m
- Video Explanation: SPF PermError Free1 m 39 s
Quiz 430 m
- What is DMARC? Free1 m
- Video Introduction to DMARC Free1 m 15 s
- A Brief History of DMARC Free1 m
- How does DMARC work? Free2 m
- What is DMARC Policy? : None, Quarantine & Reject Free2 m
- Video Explanation: DMARC Policy Free1 m 40 s
- DMARC Tags Free4 m
- DMARC Aggregate (RUA) Reports Free3 m
- DMARC Failure (RUF) Reports Free2 m
- How to Create and Publish a DMARC Record? Free3 m
- DMARC Authentication Failures Free3 m
- Video Explanation: Why does DMARC Fail? Free1 m 37 s
- Quiz 630 m