Suped

What could cause a DMARC RUF alert when DKIM/SPF are aligned and DMARC is set to p=none?

8 Marketer opinions2 Expert opinions3 Technical articles2 Resources

Summary

Even when a DMARC policy is set to 'p=none', RUF (forensic) reports can still be generated if authentication checks fail. The 'p=none' policy only dictates how receiving mail servers handle messages, not whether they generate reports. These failures can arise from various factors, including: the location of the DMARC record relative to subdomains, false positives from ISPs, misaligned 'MAIL FROM' addresses in SPF records, mismatches between the 'From:' header domain and DKIM/SPF domains, potential spoofing attempts, and configuration issues related to SPF and DKIM. Analyzing RUF reports and checking authentication headers are vital for identifying the root cause. It is important to consider the influence of 'fo' tag and subdomain alignment.

Key findings

  • RUF Reports and 'p=none': RUF reports are generated based on authentication failures, independent of the DMARC policy.
  • Multiple Failure Causes: Failures can stem from DMARC record placement, false positives, SPF/DKIM misalignment, header mismatches, and subdomain issues.
  • Importance of RUF Analysis: Analyzing RUF reports is crucial to pinpoint the specific reasons for authentication failures.

Key considerations

  • Check DMARC Placement: Verify the DMARC record's location, considering subdomains and organizational domain.
  • Inspect Authentication Headers: Thoroughly examine Authentication-Results headers for SPF/DKIM passing and alignment.
  • Investigate SPF/DKIM: Scrutinize SPF and DKIM configurations for misalignments or misconfigurations.
  • Address 'From:' Header Issues: Ensure 'From:' header domain matches DKIM/SPF domains, accounting for alignment mode.
  • Consider 'fo' Tag: Take the 'fo' tag into account, as it determines when forensic reports are triggered.

What email marketers say
8Marketer opinions

Even with a DMARC policy set to 'p=none,' RUF (forensic) reports can still be generated due to authentication failures. These failures can stem from various sources, including false positives from ISPs, misaligned 'MAIL FROM' addresses in SPF records, mismatches between the 'From:' header domain and DKIM/SPF domains, misconfigured SPF or DKIM records, and issues related to subdomain alignment with the organizational domain DMARC record. Analyzing RUF reports and checking authentication headers is essential to pinpoint the root cause.

Key opinions

  • RUF Reports and p=none: RUF reports are generated based on authentication failures, irrespective of the DMARC policy (p=none, quarantine, reject).
  • False Positives: Some ISPs may generate false positive failure reports, potentially ignoring the 'fo' tag.
  • SPF Alignment: A failing SPF record, even with passing DKIM, can trigger a DMARC failure if the 'MAIL FROM' address doesn't align with the SPF record's domain.
  • Header Mismatches: The 'From:' header domain not matching the DKIM or SPF domains, especially with strict alignment, can cause DMARC failures.
  • Subdomain Alignment: Subdomain authentication passing might not align with the organizational domain's DMARC record, particularly with `FO=1`, leading to reports.

Key considerations

  • Check Authentication Headers: Carefully examine Authentication-Results headers to verify SPF and DKIM passing and alignment.
  • Review RUF Reports: Analyze RUF reports to identify the specific reasons for authentication failures, including source IP addresses and authentication results.
  • Inspect 'fo' Tag: Check the 'fo' tag value in the DMARC record to understand when forensic reports are triggered.
  • Verify Domain Alignment: Ensure the 'From:' domain aligns with the DKIM and SPF domains, considering the alignment mode (strict or relaxed) in the DMARC record.
  • Monitor for Spoofing: Investigate source IP addresses in RUF reports to identify potential unauthorized sending sources and spoofing attempts.
Marketer view

Email marketer from MXToolbox mentions that RUF reports indicate a forensic failure, independent of the DMARC policy. The reports are triggered when a message fails SPF and/or DKIM authentication. The 'p=none' setting only affects how the receiving mail server handles the message (acceptance), not whether a failure report is generated.

July 2024 - MXToolbox
Marketer view

Email marketer from EmailSecurityBlog explains that the RUF reports provide insight to the specific reasons for authentication failures. The RUF reports can expose misconfigurations in SPF or DKIM, or highlight potential spoofing attempts. Analyze the source IP addresses, the 'From:' header, and the authentication results to understand the root cause.

May 2022 - EmailSecurityBlog
Marketer view

Marketer from Email Geeks shares that Yahoo does provide Failure reports, but only if the user has one of two particular DMARC reporting platforms with a special feed from them.

December 2021 - Email Geeks
Marketer view

Email marketer from EmailGeek explains it could be that your subdomain passing authentication is not aligned with the org domain DMARC record when using `FO=1` which means any failure will send a report.

September 2022 - EmailGeek
Marketer view

Email marketer from Mailhardener shares that if the SPF record is failing even though DKIM is passing, it could indicate that the 'MAIL FROM' address used during the SMTP transaction doesn't align with the domain specified in the SPF record, triggering a DMARC failure. Also, if you have set fo=1 it means any failure will send a report - so check this value in the DMARC record. It is important to review the RUF report to understand the exact reason for the failure.

March 2022 - Mailhardener
Marketer view

Email marketer from Reddit explains that even with 'p=none', a RUF report can be triggered if the Authentication-Results header shows a DMARC failure. Check the headers to ensure both SPF and DKIM are passing and aligned. Also, investigate the source IP address in the RUF report to identify any potential unauthorized sending sources.

September 2023 - Reddit
Marketer view

Email marketer from StackOverflow suggests that the issue might stem from the 'From:' header domain not matching the DKIM or SPF domains. Check the alignment modes for DKIM and SPF in your DMARC record. Even if DKIM passes, if the 'From:' domain is different and the alignment is set to strict, it can cause a DMARC failure and trigger a report.

April 2021 - StackOverflow
Marketer view

Marketer from Email Geeks explains that there can be many false positives in failure reporting and that some ISPs who provide failure reports don't respect the indicated "fo" tag, leading to confusion.

September 2022 - Email Geeks

What the experts say
2Expert opinions

Even with a DMARC policy set to 'p=none', RUF reports can be generated if authentication checks fail. One potential cause is related to the location of the DMARC record relative to subdomains and organizational domains. Additionally, RUF reports should be examined for insights into authentication failures, which could include misconfigured SPF or DKIM records or potential spoofing attempts. The 'p=none' policy is primarily for monitoring and does not prevent report generation on authentication failure.

Key opinions

  • RUF reports despite p=none: RUF reports are generated even when the DMARC policy is set to 'p=none' if authentication checks fail.
  • DMARC Record Location: The location of the DMARC record in relation to subdomains and organizational domains can be a factor.
  • Authentication Failure Causes: Authentication failures triggering RUF reports could stem from misconfigured SPF or DKIM records or potential spoofing attempts.

Key considerations

  • Examine RUF Reports: Carefully examine the RUF reports to understand the specific reasons for authentication failures.
  • Check DMARC Record Location: Verify the DMARC record is correctly placed with respect to subdomains and the organizational domain.
  • Review SPF/DKIM Configuration: Review the configuration of SPF and DKIM records to ensure they are properly set up and aligned.
Expert view

Expert from Spam Resource explains that even with a DMARC policy of 'p=none', RUF reports are still generated if authentication checks fail. The purpose of 'p=none' is to monitor and gather data without actively rejecting or quarantining messages. It suggests examining the RUF reports to identify the specific reasons for the authentication failures, such as misconfigured SPF or DKIM records or potential spoofing attempts.

August 2021 - Spam Resource
Expert view

Expert from Email Geeks suggests the location of the DMARC record in relation to subdomain vs. the organizational domain is the first place to check when receiving RUF alerts from Yahoo.

December 2023 - Email Geeks

What the documentation says
3Technical articles

Despite a DMARC policy of 'p=none', RUF (forensic) reports can still be generated. This is because RUF report generation is independent of the DMARC policy. These reports are intended for detailed analysis of individual message authentication failures and provide message-level information to domain owners, helping them to identify and address underlying issues.

Key findings

  • RUF Reports and p=none: RUF reports are triggered by authentication failures, irrespective of the DMARC policy (p=none, quarantine, reject).
  • Policy Independence: RUF report generation is independent of the DMARC policy enacted.
  • Detailed Analysis: RUF reports are designed for detailed analysis of individual message authentication failures, offering message-level information.

Key considerations

  • Analyze RUF Reports: Domain owners should analyze RUF reports to understand the specific reasons for authentication failures.
  • Address Underlying Issues: Use the information in the RUF reports to identify and address the underlying issues causing authentication failures.
  • Review 'ruf' Tag: Ensure the 'ruf' tag in the DMARC record is correctly configured to receive RUF reports.
Technical article

Documentation from RFC 7489 explains that RUF reports (forensic reports) are intended for detailed analysis of individual message authentication failures. These are different from aggregate reports and provide message-level information, and generation is not directly tied to the DMARC policy enacted (p=none, quarantine, reject).

May 2023 - RFC Editor
Technical article

Documentation from Google Workspace Admin Help shares that RUF reports are triggered independently of the DMARC policy. Receiving servers may send RUF reports to the address specified in the DMARC record's 'ruf' tag to provide detailed information about authentication failures, helping domain owners identify and address issues.

April 2022 - Google Workspace Admin Help
Technical article

Documentation from DMARC.org explains that even with a 'p=none' policy, RUF (forensic) reports can still be generated when a message fails DMARC authentication. This is because the 'p=none' policy only dictates how the receiving mail server should treat the message, not whether it should generate reports. RUF reports are triggered by authentication failures, regardless of the policy.

April 2022 - DMARC.org

Related resources
2Resources

SPF Alignment question : r/DMARC
SPF Alignment question : r/DMARC

Posted by u/Columbo1 - 5 votes and 12 comments

Reddit
Email alerts after adding DMARC entry - Networking - Spiceworks ...
Email alerts after adding DMARC entry - Networking - Spiceworks ...

Hi everyone. I recently added a dmarc record for someone after one of their intended recipients reported not receiving their emails and their admin pointed out a dmarc record was required to get passed their spam filter. Seemed simple enough so I made the change + duplicated it on one of my domains as I try to do in order to see potential issue asap. All on my domain has been fine, however the user forwarded several emails they received about it shortly after the change. They came from the likes...

Spiceworks Community

Related questions