Forensic Reports
Forensic reports (RUF - Report URI Forensic) provide detailed information about individual emails that fail DMARC authentication. Use them to investigate spoofing attempts and diagnose configuration issues.
Professional Plan Feature
Forensic reports are available on Professional, Enterprise, and MSP plans.Upgrade your plan to access this feature.
What Are Forensic Reports?
Unlike aggregate reports (RUA) that summarize authentication results, forensic reports provide details about individual failed messages. They include:
Message Headers
Full email headers including From, To, Subject, and routing information
Source Information
IP address, geolocation, and ASN of the sending server
Authentication Results
Detailed SPF, DKIM, and DMARC evaluation results
Failure Reason
Specific reason why authentication failed (alignment, signature, etc.)
Aggregate vs Forensic Reports
| Aspect | Aggregate (RUA) | Forensic (RUF) |
|---|---|---|
| Frequency | Daily summary | Per-message (real-time) |
| Content | Statistics and counts | Individual message details |
| Use Case | Trend analysis, monitoring | Incident investigation |
| Privacy | Anonymized data | Contains PII (headers) |
| Provider Support | Universal | Limited (Gmail, Yahoo, etc.) |
Using Forensic Reports
Browse Reports
Navigate to Forensic Reports in your dashboard to see all received RUF reports. Reports are listed chronologically with key details visible.
Filter by Type
Filter reports by failure type (SPF, DKIM, DMARC), domain, date range, or source IP to narrow down your investigation.
View Details
Click on any report to see full details including message headers, authentication results, and geographic information about the sender.
Report Details
Each forensic report contains the following information:
Message Information
- • Arrival date and time
- • Original From address
- • Subject line (if available)
- • Message-ID
Source Information
- • Source IP address
- • Country and city
- • ASN and organization
- • Reverse DNS hostname
Authentication Results
- • SPF result and domain
- • DKIM result and selector
- • DMARC policy applied
- • Alignment status
Failure Details
- • Failure type (SPF/DKIM/DMARC)
- • Specific failure reason
- • Reported domain
- • Delivery result
Common Use Cases
Investigating Spoofing Attempts
When you see failures from unknown IPs, forensic reports help identify if someone is attempting to spoof your domain. Check the source IP, location, and headers.
Debugging Legitimate Failures
If legitimate email services are failing authentication, forensic reports show exactly what went wrong—missing SPF entries, DKIM signature issues, or alignment problems.
Monitoring New Senders
Before adding a new service to your SPF record, let it send some test emails. Forensic reports will show the exact IP addresses that need to be authorized.
Enabling Forensic Reports
To receive forensic reports, add the ruftag to your DMARC record:
v=DMARC1; p=quarantine; ruf=mailto:dmarc@ruf.ddmarc.com; fo=1ruf=specifies where to send forensic reportsfo=1generates reports on any failure (recommended)
Privacy Considerations
Forensic reports may contain personally identifiable information (PII) from email headers. Not all email providers send forensic reports due to privacy concerns. Gmail, Yahoo, and some others support RUF, while Microsoft does not.