When setting up a DMARC record, two specific tags control forensic reporting: ruf and fo. The primary tag that specifies the destination for these reports is ruf.
The ruf tag tells receiving mail servers where to send individual failure reports. These are different from the more common aggregate (rua) reports, which provide a high-level summary. Forensic reports, also known as failure reports, offer a detailed, real-time look at a single email that has failed DMARC authentication.
The `ruf` tag: specifying the destination
The ruf tag stands for "Reporting URI for Forensic reports". Its purpose is to specify one or more email addresses where you want to receive these detailed reports. When a mailbox provider that supports forensic reporting receives an email claiming to be from your domain that fails the DMARC check, it will send a copy of the failed message to the address you've specified.
The syntax is straightforward. You add the tag to your DMARC record followed by mailto: and the desired email address. For example: ruf=mailto:dmarc-forensic@yourdomain.com.
The `fo` tag: setting the trigger
Simply adding a ruf tag is not enough to start receiving reports. You also need to include the fo (failure reporting options) tag. This tag tells receivers the conditions under which forensic reports should be generated. Without it, no forensic reports will be sent.
The fo tag can have one or more of the following values:
- 0: Generate a report if both SPF and DKIM checks fail to produce an aligned "pass" result. This is the default setting.
- 1: Generate a report if either the SPF or DKIM check fails to produce an aligned "pass" result. This is the most common setting for gathering comprehensive failure data.
- d: Generate a report if the DKIM signature is invalid, regardless of alignment.
- s: Generate a report if the SPF evaluation fails, regardless of alignment.
An example DMARC record requesting forensic reports for any type of alignment failure would look like this: v=DMARC1; p=none; rua=mailto:agg@example.com; ruf=mailto:forensic@example.com; fo=1;
The pros and cons of forensic reports
While forensic reports sound useful, they come with significant caveats. On the plus side, they provide immediate, granular detail about a failing email source, which can be invaluable for troubleshooting authentication problems or identifying a spoofing attack in real time. As the SAP Community notes, these reports contain extensive information, including full message headers.
However, there are two major downsides: volume and privacy. You will receive a separate report for every single email that fails, which can quickly overwhelm an inbox. More importantly, because these reports contain message headers and sometimes body content, they can expose personally identifiable information (PII). Due to these privacy concerns, many large mailbox providers, including Google and Microsoft, have stopped sending forensic reports entirely.
In summary, the ruf tag sets the destination for DMARC forensic reports, and the fo tag defines the trigger. While they can be useful for debugging, the lack of support from major providers and significant privacy implications mean that most organizations should rely on aggregate (rua) reports for their DMARC monitoring.
