DMARC forensic reports (RUF) are individual failure reports sent when a message fails DMARC. They contain message headers and sometimes body content from the failed email. In practice, very few mailbox providers send forensic reports due to privacy concerns. Google, Microsoft, and Yahoo don't send them. Rely on aggregate reports (RUA) instead.
DMARC Forensic Reports (RUF): What They Contain and Why They're Mostly Useless
What Forensic Reports Contain
A DMARC forensic report is an individual failure notification. When a message fails DMARC, the receiving server can send a report containing:
- The full email headers of the failed message
- Authentication results (SPF, DKIM, DMARC)
- The From address and envelope sender
- Sometimes a redacted or full copy of the message body
- The DMARC policy that was applied
The report format follows RFC 6591 (Abuse Reporting Format) and arrives as an email with an attached report.
The Problem: Almost Nobody Sends Them
Here's the reality of forensic report support:
| Provider | Sends RUF? |
|---|---|
| Gmail / Google | No |
| Microsoft / Outlook | No |
| Yahoo / AOL | No |
| Apple Mail | No |
| No | |
| Most corporate servers | Rarely |
Practitioner note: In the hundreds of DMARC deployments I've done, forensic reports have been useful exactly zero times. The providers that matter don't send them. You'll get maybe a trickle from obscure servers, which tells you almost nothing actionable.
Why Providers Don't Send Them
Privacy. Forensic reports include actual email headers, which contain recipient addresses, subject lines, and routing information. Under GDPR and similar regulations, sending this data to a third party (the domain owner) is problematic.
Volume. For a spoofed domain, there could be thousands or millions of failures. Sending individual reports for each would overwhelm both the sender and recipient.
Cost. Generating per-message reports is expensive compared to aggregating results into daily summaries.
Setting Up RUF (If You Want To)
Add the ruf= tag to your DMARC record:
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]
You can also add the fo= tag to control when forensic reports are generated:
| fo value | Meaning |
|---|---|
fo=0 | Report if all authentication fails (default) |
fo=1 | Report if any authentication fails |
fo=d | Report if DKIM fails |
fo=s | Report if SPF fails |
What to Use Instead
Aggregate reports (RUA) are the backbone of DMARC monitoring. Every major provider sends them. They tell you:
- Which IPs send email as your domain
- Whether authentication passes or fails
- Volume per sender
Use a DMARC monitoring tool to parse and visualize aggregate reports. This gives you everything you need to manage your DMARC policy.
Practitioner note: If you need message-level failure data, look at your own sending logs rather than waiting for forensic reports that will never arrive. Your ESP and mail server logs contain more detail than any RUF report would.
If you're trying to investigate DMARC failures and aggregate reports aren't giving you enough detail, I can help analyze your authentication data and trace specific failure patterns.
Sources
- RFC 7489: Domain-based Message Authentication (DMARC)
- RFC 6591: Authentication Failure Reporting Using the Abuse Reporting Format
- dmarcian: DMARC Forensic Reports
- Google: About DMARC reports
v1.0 · April 2026
Frequently Asked Questions
What is a DMARC forensic report?
A forensic report (RUF) is a per-message failure report sent to the address in your DMARC ruf= tag. It contains headers and metadata from individual messages that failed DMARC authentication.
Does Gmail send DMARC forensic reports?
No. Google does not send DMARC forensic reports. Neither does Microsoft or Yahoo. Very few major providers send them.
What's the difference between RUA and RUF?
RUA (aggregate) reports are daily summaries showing all authentication results in aggregate. RUF (forensic) reports are individual message-level reports for specific failures. RUA is widely supported; RUF is not.
Should I set up ruf= in my DMARC record?
You can, but don't expect much data. Most major providers ignore the ruf= tag. Your time is better spent analyzing RUA aggregate reports.
Are forensic reports a privacy concern?
Yes. Forensic reports can contain email headers and body content, which may include personal information. This is the main reason most providers stopped sending them.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.