DMARCbis-ready · The 2026 standard

What is a DMARC forensic report? (RUF)

DMARC defines two report types. Aggregate reports are the daily summaries everyone relies on. Forensic reports are the per-message samples that sounded useful and then mostly stopped existing.

Definition

A forensic report (the standard calls it a failure report; RUF stands for Reporting URI for Failure data) is a notice generated for an individual message that failed DMARC, sent to the address in your record's ruf= tag. Unlike the counts-only aggregate report, a failure report can carry the failing message's headers, and sometimes a redacted copy of the message itself.

Why almost nobody sends them

A report that includes headers or content from a real message is, potentially, a copy of someone's private email delivered to a third party. After GDPR and similar privacy regimes, most large providers concluded the legal exposure was not worth it: Google and Microsoft, among others, do not send forensic reports at all. The handful of receivers that still do typically redact heavily. Publishing a ruf= address is harmless, but expect a trickle at most, skewed toward smaller receivers.

Do you need ruf= at all?

For most domains, no. Enforcement decisions are made on aggregate data: which senders fail, at what volume, from where. The rare argument for ruf= is incident forensics, where a single sample of a live phishing campaign has investigative value. If you do publish one, point it at a mailbox you control operationally (samples can contain hostile content) and treat whatever arrives as a bonus, never as coverage. Your real visibility is the RUA stream.

Keep reading

Last verified 2026-07-10.

Stop guessing. Start monitoring.

Free for one domain. Set up in five minutes. We parse the reports; you read plain-English summaries.