When you're setting up DMARC, you'll come across two important but distinct reporting tags: rua and ruf. Both are designed to give you visibility into how your domain is being used across the internet, but they serve very different purposes and provide different types of information. Understanding the difference is key to effectively using DMARC to protect your domain from phishing and spoofing attacks.
Essentially, DMARC provides this visibility through two types of reports, as Gatefy explains, aggregate (RUA) and forensic (RUF) reports. Let's break down what each one does.
RUA: Aggregate reports for a high-level overview
The rua tag, which stands for "Reporting URI for Aggregate reports", is the most important part of DMARC reporting. This tag tells receiving mail servers where to send daily, high-level summaries of your email traffic. These reports are sent in a machine-readable XML format, which is why most people use a DMARC monitoring service to parse and visualize the data.
An aggregate report doesn't contain the content of individual emails. Instead, it provides a summary of:
- Sending sources: The IP addresses that sent email claiming to be from your domain.
- Authentication results: Whether those emails passed or failed SPF and DKIM checks, and how those results aligned with your domain.
- Email counts: The volume of emails from each source.
- DMARC policy application: What action the receiving server took (none, quarantine, or reject) based on your DMARC policy.
These reports are essential for understanding who is sending on your behalf, identifying legitimate services that need to be properly configured, and tracking unauthorized use of your domain. Almost all major mailbox providers send RUA reports.
RUF: Forensic (failure) reports for detailed analysis
The ruf tag, which stands for "Reporting URI for Forensic reports", is used to request detailed, individual reports for emails that fail DMARC authentication. These are also known as failure reports.
Unlike the summarized RUA reports, a RUF report is a copy of a specific failing email. As DuoCircle points out, it can include the email's header, attachments, and URLs. In theory, this sounds incredibly useful for debugging why a specific email failed. You could see the exact subject line, sending IP, and authentication headers to diagnose the problem.
However, there's a major catch: privacy. Because these reports contain message content, which could include personally identifiable information (PII), very few mailbox providers actually send them. Sending a RUF report could violate the privacy of the sender and recipient. As a result, while you can (and should) specify a ruf address in your DMARC record, you will receive very few reports, if any. The data is often redacted to the point of being unhelpful, or simply not sent at all. According to Mailgun, this tag is not supported by all mailbox providers.
The verdict: RUA is essential, RUF is optional
For 99% of domain owners, the focus should be entirely on RUA reports. They provide all the necessary information to reach a DMARC policy of p=reject safely. The data helps you identify legitimate sending services and ensure they are configured correctly for SPF and DKIM alignment, while also showing you any fraudulent activity.
The ruf tag is largely a remnant of the early days of DMARC. Due to the lack of adoption by major providers and significant privacy implications, the forensic reports are not a reliable or necessary tool for DMARC implementation today. While you can configure an address to receive them, you shouldn't rely on them for monitoring.
To summarize, use the rua tag to receive comprehensive, aggregated data from all major receivers. This is your primary tool for DMARC monitoring. You can add a ruf tag, but don't expect to receive much, if any, useful information from it.
