Reference
What forensic (RUF) reports are — and their privacy caveats
Forensic reports give per-message detail on DMARC failures. Here's what they contain, why they're rare, and the privacy implications of requesting them.
Jump to section
Forensic reports — referred to in a DMARC record as RUF (Reporting URI for Forensic data, sometimes called failure reports) — are per-message samples sent when an individual message fails DMARC. They are very different from aggregate (RUA) reports, and they come with real privacy considerations. You can view any forensic reports Blankitt has received on the Forensic page.
Aggregate vs. forensic — the key difference
| Aggregate (RUA) | Forensic (RUF) | |
|---|---|---|
| Granularity | Statistical summary, grouped by source | One report per individual failing message |
| Content | Counts and auth results only | Message-level detail, often including headers and parts of the message |
| Frequency | Usually daily | Sent at the moment of failure (when sent at all) |
| Availability | Widely supported | Rarely sent by major providers |
| Day-to-day use | Your primary monitoring data | Occasional deep-dive on a specific failure |
What a forensic report contains
Because a forensic report is about a single message, it can include sensitive detail: the From:, To:, and Subject: headers, the sending IP, the authentication results, and sometimes portions of the message body. That is what makes it useful for diagnosing a single tricky failure — and also what makes it a privacy concern.
Why you'll rarely see them
Most major mailbox providers — including Google and Microsoft — do not send forensic reports, largely for the privacy reasons above. So even if you publish a ruf= address, expect few or no forensic reports to arrive. Aggregate (RUA) reports remain your primary source of truth; treat forensic reports as an occasional bonus, not something to rely on.
Privacy caveats — read before publishing ruf=
Because forensic reports can carry message content and personal data (sender and recipient addresses, subjects), requesting them has data-protection implications:
- You may receive personal data of your own users and their correspondents in these reports.
- Consider your obligations under data-protection law (e.g. UK GDPR) before collecting message-level data, and factor it into your retention and access decisions.
- For most organisations, the privacy cost outweighs the benefit — which is one reason providers stopped sending them.
How to request them (if you choose to)
Forensic reports are requested with the ruf= tag in your _dmarc record, alongside rua=. With direct ingest you can point it at the same inbound address:
_dmarc.example.com. TXT "v=DMARC1; p=none; rua=mailto:<token>@rua.blankitt.com; ruf=mailto:<token>@rua.blankitt.com"
Bottom line
Forensic reports can occasionally help you pin down a single, stubborn failure that aggregate data alone doesn't explain. But they are rare in practice and carry privacy weight, so most organisations are best served by leaving ruf off and working from aggregate reports, the Offenders page, and Fix Groups.