When you're setting up DMARC, one of the most powerful features is its reporting capability. DMARC provides two types of reports: aggregate (RUA) reports, which give a high-level overview of your email traffic, and failure (RUF) reports, which provide detailed, individual copies of messages that fail DMARC authentication. These failure reports are sometimes called forensic reports.
While incredibly detailed, failure reports can contain personally identifiable information (PII), so many mailbox providers have deprecated them due to privacy concerns. However, for those that still support them, they can be an invaluable tool for diagnosing authentication issues. The DMARC tag that specifies the format for these reports is rf.
The 'rf' tag explained
The rf (Report Format) tag is used in a DMARC record to declare the desired format for individual failure reports. Mailbox providers that support RUF reporting will look at this tag to determine how to structure the report data they send back to you.
Currently, the only widely recognized value for this tag is afrf, which stands for Authentication Failure Reporting Format. This is the standard format for these types of DMARC reports.
How the 'rf' tag works with other DMARC tags
The rf tag doesn't work in isolation. To receive failure reports, you need to configure it alongside two other critical tags: ruf and fo.
- The 'ruf' tag: This tag specifies the email address(es) where you want to receive the forensic (RUF) reports. Without a valid ruf address, mailbox providers won't know where to send the detailed failure data. According to an article by True Green Hosting, the 'ruf' tag stands for “Reporting URI for Forensic reports.”
- The 'fo' tag: This tag defines the specific failure scenarios that should trigger a report. It gives you control over the conditions under which you receive failure reports. For example, you can choose to receive a report only when both SPF and DKIM fail, or when either one fails.
Example DMARC record with failure reporting
Putting it all together, a DMARC record configured to send forensic reports would look something like this:
v=DMARC1; p=none; rua=mailto:agg_reports@example.com; ruf=mailto:forensic_reports@example.com; fo=1; rf=afrf;
In this example:
- ruf=mailto:forensic_reports@example.com tells receivers to send failure reports to this email address.
- fo=1 requests a report if a message fails either SPF or DKIM alignment.
- rf=afrf specifies the reporting format as Authentication Failure Reporting Format.
In summary, while the rf tag's role is simple—specifying the format—it is a key part of the trio of tags needed to enable and configure DMARC failure reports. Understanding how it works with ruf and fo is essential for anyone looking to leverage this advanced diagnostic feature of DMARC.
What DMARC tag specifies forensic reports?
Does the DMARC 'pct' tag affect aggregate reports?
What is the DMARC version specified by the 'v' tag?
What DMARC 'fo' tag value requests failure reports for all failures?
What is the purpose of the 'rf' DMARC tag?
What is the 'fo' tag value for DMARC aggregate report formatting?
