DMARC, which stands for Domain-based Message Authentication, Reporting, and Conformance, is a powerful email authentication protocol. It allows domain owners to protect their brand from email spoofing and phishing attacks. A DMARC record is a simple text entry in your DNS, but it contains several important components called 'tags' that give instructions to receiving mail servers.
One of these tags is ruf. Simply put, the ruf tag is short for 'Reporting URI for Forensic reports'. It's an optional tag used to specify an email address where you want to receive detailed, individual reports about emails that fail DMARC authentication.
Understanding RUF vs. RUA reports
DMARC provides visibility through two types of reports: Aggregate (RUA) and Forensic (RUF). It's crucial to understand the difference.
- RUA (Aggregate) Reports: These are XML reports sent daily. They provide a high-level overview of your email traffic, showing which IPs are sending mail on your behalf and whether those emails are passing or failing SPF and DKIM checks. They don't contain any sensitive information about the individual emails. These are the primary reports used for DMARC monitoring.
- RUF (Forensic) Reports: These are real-time, individual reports generated each time a single email fails DMARC authentication. As VerifyDMARC notes, they provide information about specific email failures. Because they are copies of the failed messages, they contain much more detail.
A RUF report is essentially a redacted copy of the failing email message and can include information like the subject line, message headers, body snippets, and the sending IP address. This level of detail can be very useful for diagnosing specific authentication issues or investigating a phishing attack.
The privacy problem and lack of support
While the detail in RUF reports sounds great for troubleshooting, it comes with a significant downside: privacy. Because these reports can contain personally identifiable information (PII) from email headers and bodies, many mailbox providers are reluctant to send them.
Sending the content of a private email to a third party (the address specified in the ruf tag) creates a potential data leak. For this reason, major providers like Google and Yahoo no longer send RUF reports. Most DMARC analysis today relies exclusively on the aggregate RUA reports, which provide all the necessary information for monitoring and enforcement without the privacy risks.
How to configure the 'ruf' and 'fo' tags
If you still want to receive forensic reports from the providers that support them, you need to configure two tags in your DMARC record.
1. The 'ruf' tag: This specifies the destination for the reports. The format requires a mailto: prefix. For example: ruf=mailto:dmarc-forensic@example.com.
2. The 'fo' tag: This tag, which stands for 'failure options', tells receivers what kind of failures should trigger a RUF report. You can choose from the following options:
- fo=0: Generate a report if both SPF and DKIM fail to produce an aligned 'pass' result (this is the default).
- fo=1: Generate a report if either SPF or DKIM produces a result other than 'pass'.
- fo=d: Generate a report if the DKIM signature failed to verify.
- fo=s: Generate a report if the SPF evaluation failed.
In summary, while the ruf tag can provide deep forensic insight into email authentication failures, its use is limited by privacy concerns and a lack of support from major mailbox providers. For most organizations, relying on aggregate rua reports is the standard and most effective way to monitor DMARC compliance.
