Overview
DMARC defines two types of reports that receiving mail servers can send back to domain owners. Aggregate reports (RUA) give you a statistical summary of all email activity for your domain. Forensic reports (RUF) provide details about individual email failures. Both are configured via tags in your DMARC DNS record.
Example DMARC record using both report types:
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; ruf=mailto:forensic@example.com; fo=1
Aggregate Reports (RUA)
Aggregate reports are XML files sent once daily (typically) by participating mail receivers like Google, Microsoft, Yahoo, and others. Each report covers a specific time window (usually 24 hours) and includes summary statistics for all email claiming to come from your domain.
Key data points in an aggregate report include:
- Source IP addresses sending email as your domain
- Volume of messages per source IP
- SPF and DKIM pass/fail results
- DMARC alignment results
- Disposition applied (none, quarantine, or reject)
Forensic Reports (RUF)
Forensic reports (also called failure reports) are sent immediately when an individual email fails DMARC authentication. They are formatted as email messages using the Abuse Reporting Format (ARF) and may include a redacted or full copy of the original failing message, depending on the reporting server's policy.
The fo= tag in your DMARC record controls when forensic reports are generated:
fo=0— Report only when both SPF and DKIM fail (default)fo=1— Report when either SPF or DKIM failsfo=d— Report when DKIM fails, regardless of alignmentfo=s— Report when SPF fails, regardless of alignment
Side-by-Side Comparison
| Feature | Aggregate (RUA) | Forensic (RUF) |
|---|---|---|
| DMARC tag | rua= | ruf= |
| Data type | Summary statistics per IP | Individual failure details |
| Frequency | Once daily (per receiver) | Near real-time, per failure |
| Format | Gzip-compressed XML | Email (ARF format) |
| Contains message content | No | Sometimes (headers or full message) |
| Privacy concerns | Low — no personal data | High — may include recipient addresses, subject lines |
| Provider support | Widely supported | Limited — many providers don't send RUF |
| Primary use case | Ongoing monitoring and trend analysis | Investigating specific failure incidents |
When to Use Aggregate Reports
Aggregate reports are the foundation of DMARC monitoring. You should always have an RUA address configured. They tell you which sending sources are passing and failing, help you identify unauthorized senders, and track your authentication posture over time. DMARC analytics tools like DDMARC parse these XML files and present the data in a readable dashboard.
When to Use Forensic Reports
Forensic reports are useful when you need to investigate a specific authentication failure and understand why a particular message failed. They can reveal misconfigured sending services, missing DKIM selectors, or active phishing campaigns. However, treat them as a supplemental tool rather than a primary monitoring method because:
- Many large providers (including Gmail) do not send forensic reports at all.
- Volume can be very high — one per failure — making them noisy.
- They may contain personally identifiable information (PII) requiring GDPR/CCPA handling.
Privacy Considerations for Forensic Reports
Forensic reports can contain the recipient's email address, the message subject line, message headers, and sometimes the full message body. If your domain sends email to EU residents, collecting forensic reports may have GDPR implications — you are receiving personal data about third parties without their explicit consent. Many organizations choose not to configure RUF for this reason. Aggregate reports carry no such risk as they only contain IP-level statistics.
Recommendation
Always configure an RUA address. It is the primary tool for DMARC visibility. Configure RUF only if you have a specific need to investigate individual failures and have addressed the privacy implications for your jurisdiction. If you do enable forensic reports, use fo=1 to capture failures from either SPF or DKIM, and ensure your RUF mailbox is handled securely.
Frequently Asked Questions
Why am I not receiving any forensic reports?
Most major email providers, including Google and Microsoft, do not send forensic reports due to privacy concerns. If you have an RUF address configured but aren't receiving reports, this is likely the reason — not a misconfiguration on your end. You will still receive aggregate reports from those providers.
How long should I store aggregate reports?
At minimum, retain reports for 90 days to allow trend analysis and incident investigation. Longer retention (6–12 months) helps identify seasonal patterns and track improvement over time. Raw XML files are small — a domain receiving moderate email volume generates only a few megabytes of reports per month.
Do I need a separate email address for RUA and RUF?
Not necessarily, but it's a good practice. Aggregate reports are structured XML files suited to automated processing. Forensic reports are individual emails that are harder to parse at scale. Keeping them separate makes it easier to handle each appropriately.