What information is contained in DMARC RUA and RUF reports?

Summary

DMARC RUA (Aggregate) reports provide a high-level overview of email authentication results, including SPF, DKIM, and DMARC pass/fail rates, enabling domain owners to understand their email authentication landscape and monitor compliance. These reports contain aggregated data about email traffic, including source IPs and authentication status, and can identify unauthorized use of domains. Microsoft RUA reports include the 'envelope_to' and 'envelope_from' domains. DMARC RUF (Forensic) reports, while less common, offer detailed information about individual emails failing authentication, such as headers and potentially message bodies, aiding in identifying and resolving authentication issues and potential spoofing attacks. However, RUF reports raise privacy concerns, are not widely supported, and should not be solely relied upon. The RFC7489 documentation specifies the structure and contents of RUA and RUF reports including RUA containing `<feedback>`, `<report_metadata>`, `<policy_published>`, and one or more `<record>` blocks and RUF containing the failed message as an attachment in `message/rfc822` format

Key findings

  • RUA Report Purpose: RUA reports provide an aggregated view of email authentication results, aiding in understanding email authentication landscape and monitoring compliance.
  • RUA Report Content: RUA reports contain data on email traffic, source IPs, and authentication status, enabling identification of unauthorized domain use and that Microsoft RUA reports include 'envelope_to' and 'envelope_from' domains.
  • RUF Report Purpose: RUF reports offer detailed information about individual emails failing authentication, assisting in diagnosing and resolving authentication issues and potential spoofing attacks.
  • RUF Report Limitations: RUF reports raise privacy concerns and are not widely supported, limiting their reliability.
  • Email contents: Email contents are NOT included in DMARC reports.
  • RFC7489 Specifies: The RFC7489 documentation specifies the structure and contents of RUA and RUF reports.

Key considerations

  • RUA Report Utilization: Utilize RUA reports to monitor email authentication status, identify trends, and detect unauthorized use of domains.
  • RUF Report Caution: Exercise caution when using RUF reports due to privacy concerns and limited support, and use them in conjunction with other data sources.
  • DMARC Reporting Service: Consider using a DMARC reporting service for analyzing RUA reports effectively.
  • RFC7489: Consult RFC7489 for report formats.

What email marketers say
10Marketer opinions

DMARC Aggregate (RUA) reports offer insights into email authentication status, including SPF, DKIM, and DMARC pass/fail rates, helping identify unauthorized domain usage. They contain data on email traffic sources, sending IPs, and authentication results. Microsoft RUA reports specifically include 'envelope_to' and 'envelope_from' domains. Forensic (RUF) reports, though less common, can provide detailed information on individual email failures, such as headers and message bodies, aiding in diagnosing authentication issues and identifying spoofing attempts. However, RUF reports raise privacy concerns and are not widely supported.

Key opinions

  • RUA Report Content: RUA reports provide aggregated data on email authentication, revealing SPF, DKIM, and DMARC pass/fail rates.
  • RUA Report Insights: RUA reports help identify email traffic sources, sending IPs, and the authentication status of emails from third-party services.
  • Microsoft RUA specifics: Microsoft RUA reports include 'envelope_to' and 'envelope_from' domains, offering more granular details.
  • RUF Report Content: RUF reports, when available, offer forensic information about individual emails that failed authentication, potentially including headers and message bodies.
  • RUF Report Limitations: RUF reports are not widely supported due to privacy concerns and the potential for abuse, limiting their reliability.

Key considerations

  • RUA for Monitoring: RUA reports are essential for monitoring email authentication status and identifying unauthorized use of your domain.
  • RUF for Troubleshooting: RUF reports can assist in diagnosing authentication issues and identifying spoofing attempts, but their limited availability should be considered.
  • Data Analysis: Consider using a DMARC reporting service to analyze RUA report data effectively, as these reports can be complex.
  • Privacy Implications: Be aware of the privacy implications and potential risks associated with RUF reports, particularly regarding the exposure of personally identifiable information.
  • Third-Party Services: Use RUA data to ensure third-party services sending emails on your behalf are properly authenticating those emails and complying with your DMARC policy.
Marketer view

Email marketer from EasyDMARC.com shares that DMARC RUA reports are essential for monitoring your email authentication status and ensuring that your legitimate emails are being properly authenticated. They help you identify any unauthorized use of your domain and take corrective action.

December 2022 - EasyDMARC.com
Marketer view

Email marketer from Valimail explains that DMARC Forensic Reports (RUF) contain copies of individual emails that failed authentication. This data helps diagnose and resolve authentication issues, as well as identify potential spoofing and phishing attacks.

January 2022 - Valimail.com
Marketer view

Email marketer from mailhardener, states that RUF reports provide information such as sending IP address, envelope from and envelope to addresses, the subject and even a copy of the email body. Note that RUF reports can expose personally identifiable information, RUF is not widely adopted.

May 2024 - mailhardener.com
Marketer view

Email marketer from Reddit explains that RUA reports can be incredibly helpful in understanding where your email traffic is coming from, which services are sending email on your behalf, and whether those services are properly authenticating your email. The reports contain the source IPs.

November 2022 - Reddit
Marketer view

Email marketer from EasyDMARC.com explains that while DMARC RUF reports provide detailed information about individual email failures, they are not widely supported by email providers due to privacy concerns and the potential for abuse. Therefore, relying solely on RUF reports may not provide a complete picture of your email authentication landscape.

April 2021 - EasyDMARC.com
Marketer view

Marketer from Email Geeks explains that Microsoft RUA reports include the “envelope_to” and “envelope_from” domains (but not the local parts of the addresses) in the “identifiers” section of each record, while other large mailbox providers do not. They also added that Almost nobody sends RUF reports

April 2021 - Email Geeks
Marketer view

Email marketer from Valimail.com shares that DMARC Aggregate Reports (RUA) offer an organized view of your DMARC compliance. These reports are generated and sent by email receivers (ISPs) to the address specified in your DMARC record, providing insight into the authentication status of emails using your domain.

September 2021 - Valimail.com
Marketer view

Marketer from Email Geeks mentions that “envelope_from” should/would be the same as the “domain” in the SPF auth_result section, and the “envelope_to” is captured by the report name, with one report per recipient domain.

October 2021 - Email Geeks
Marketer view

Email marketer from StackExchange recommends using a DMARC reporting service that analyses the data provided in RUA reports. Also it is important to consider that very few email providers actually send RUF reports.

December 2021 - StackExchange
Marketer view

Email marketer from mailhardener, shares that DMARC RUA can show you which third-party services and IPs are sending emails that use your domain, and helps you determine whether those emails are properly authenticated and aligned with your DMARC policy.

April 2024 - mailhardener.com

What the experts say
6Expert opinions

DMARC reports come in two primary forms: RUA (Aggregate) and RUF (Forensic). RUA reports offer a high-level, aggregated view of email authentication results, including SPF, DKIM, and DMARC pass/fail rates. This helps domain owners understand the overall authentication landscape of their email traffic and identify potential issues. RUF reports, on the other hand, are more granular, containing forensic information about individual emails that failed authentication. This may include message headers and potentially the message body. However, RUF reports are rarely implemented due to privacy concerns and are not a reliable source of information.

Key opinions

  • RUA Report Focus: RUA reports provide an aggregated overview of email authentication results (SPF, DKIM, DMARC pass/fail rates).
  • RUA Report Benefit: RUA reports help domain owners understand the authentication landscape of their email traffic.
  • RUF Report Focus: RUF reports, if available, contain forensic details about individual emails that failed authentication (headers, body).
  • RUF Report Drawbacks: RUF reports are rarely implemented due to privacy concerns and are not a reliable information source.
  • Email content: Email contents are NOT included in DMARC reports.

Key considerations

  • RUA for High-Level Monitoring: Use RUA reports to gain a high-level understanding of your email authentication performance.
  • RUF for Troubleshooting (If Available): If RUF reports are available, use them cautiously for troubleshooting individual authentication failures, being mindful of privacy implications.
  • RUF Reliability: Don't rely solely on RUF reports for a complete picture of your email authentication, as they are rarely implemented.
Expert view

Expert from Email Geeks confirms that email contents are not included in DMARC reports, but that the to: address can be determined.

August 2021 - Email Geeks
Expert view

Expert from Spam Resource explains that RUA reports provide aggregated data about email authentication results, including SPF, DKIM, and DMARC pass/fail rates, helping domain owners understand the authentication landscape of their email traffic.

April 2023 - Spam Resource
Expert view

Expert from Spam Resource clarifies that RUF reports, if implemented, contain forensic information about emails failing authentication, including message headers and potentially the message body, enabling identification of the source and nature of the authentication failures. However, they are rarely used in practice.

March 2025 - Spam Resource
Expert view

Expert from Word to the Wise clarifies that RUF reports(forensic reports) contain details of individual emails that failed authentication. This can include message headers and a portion of the email body. This level of detail is not very common.

July 2024 - Word to the Wise
Expert view

Expert from Word to the Wise explains that RUA reports (Aggregate reports) provides a high-level view of how your email is being handled, this helps domain owners understand the authentication status of their email.

January 2025 - Word to the Wise
Expert view

Expert from Email Geeks states that DMARC RUA reports do not contain the information requested. They clarify that RUF reports might contain more identifying information, but are rarely used.

May 2024 - Email Geeks

What the documentation says
6Technical articles

DMARC reports come in two types: RUA (Aggregate) and RUF (Forensic). RUA reports provide a high-level daily summary of email traffic, including percentages of messages passing or failing SPF, DKIM, and DMARC checks. They allow domain owners to understand how their email is being authenticated and identify authentication issues. RUF reports, also known as failure reports, contain detailed information about individual emails failing DMARC checks, including source IP addresses, headers, and reasons for failure. RUA reports have `<feedback>`, `<report_metadata>`, `<policy_published>`, and one or more `<record>` blocks which have `<row>`, `<policy_evaluated>`, and `<identifiers>`. RUF reports contain the failed message as an attachment in `message/rfc822` format

Key findings

  • RUA Report Overview: RUA reports offer a high-level, aggregated view of email authentication results.
  • RUA Report Contents: RUA reports include percentages of messages passing or failing SPF, DKIM, and DMARC.
  • RUF Report Granularity: RUF reports provide detailed information on individual emails failing DMARC checks.
  • RUF Report Contents: RUF reports include source IP addresses, email headers, and reasons for DMARC failure.
  • RFC format RUA: RUA reports have `<feedback>`, `<report_metadata>`, `<policy_published>`, and one or more `<record>` blocks which have `<row>`, `<policy_evaluated>`, and `<identifiers>`
  • RFC format RUF: RUF reports contain the failed message as an attachment in `message/rfc822` format

Key considerations

  • Using RUA for Monitoring: Utilize RUA reports to monitor email authentication performance and identify trends in authentication failures.
  • Using RUF for Investigation: Employ RUF reports to investigate specific instances of DMARC failure and identify potential sources of abuse.
  • RFC7489 Understanding: Consult RFC7489 for a comprehensive understanding of DMARC report formats and data elements.
Technical article

Documentation from DMARC.org details that RUF (Forensic) reports, also known as failure reports, contain information about individual email messages that failed authentication. These reports include the message headers and a portion of the body, providing more granular detail for troubleshooting authentication failures and identifying potential abuse.

May 2021 - DMARC.org
Technical article

Documentation from AuthSMTP explains that Aggregate reports provide a daily summary of all email traffic claiming to be from your domain. It includes the number of emails that passed and failed DMARC checks, as well as the reasons for failure. This allows you to identify potential issues with your email authentication setup.

July 2023 - AuthSMTP.com
Technical article

Documentation from RFC7489 details that Aggregate Feedback reports contain: `<feedback>`, `<report_metadata>`, `<policy_published>`, and one or more `<record>` blocks. Each record block has `<row>`, `<policy_evaluated>`, and `<identifiers>`

April 2024 - RFC-Editor.org
Technical article

Documentation from DMARC.org explains that RUA (Aggregate) reports provide a high-level overview of email authentication results, showing the percentage of messages passing or failing SPF, DKIM, and DMARC. These reports help domain owners understand how their email is being authenticated across different receiving domains.

January 2023 - DMARC.org
Technical article

Documentation from AuthSMTP details that Forensic reports, also known as failure reports, provide detailed information about individual emails that failed the DMARC check. This includes the source IP address, the headers of the email, and the reason for failure, which can help to identify and mitigate abuse of your domain.

October 2024 - AuthSMTP.com
Technical article

Documentation from RFC7489 details that Failure reports in Authentication Failure Reporting contain the failed message as an attachment in `message/rfc822` format

January 2024 - RFC-Editor.org