Question 1

What are DMARC forensic reports?

Accepted Answer

DMARC forensic reports (also called failure reports or RUF) are individual email samples sent when a message fails DMARC authentication. Unlike aggregate reports which summarize daily statistics, forensic reports contain actual message headers and details about specific authentication failures. They help you identify spoofing attempts, misconfigurations, or unauthorized senders in real-time.

Question 2

What is the difference between RUA and RUF reports?

Accepted Answer

RUA (aggregate reports) provide daily XML summaries of all authentication results across your email traffic - they're essential for monitoring trends. RUF (forensic reports) send individual failure samples with actual message details - they're optional and contain sensitive data. Most organizations use only RUA because RUF can include email content and raise privacy concerns.

Question 3

How do I view DMARC forensic reports?

Accepted Answer

Use our free Forensic Report Viewer tool above. Upload the RFC 6591 compliant report file you received via email at your ruf= address. The tool parses the report to show authentication failure details, source IP, headers, SPF/DKIM results, and recommendations. We support standard DMARC forensic report formats including AFRF (Authentication Failure Reporting Format).

Question 4

Should I enable DMARC forensic reporting?

Accepted Answer

DMARC forensic reporting (ruf=) is optional and has privacy implications since reports may contain email content. Enable it only if you need detailed failure analysis and have proper data handling procedures. Many receivers don't send RUF due to privacy concerns. Aggregate reports (rua=) are sufficient for most organizations and don't have the same privacy issues.

Question 5

What does an authentication failure in a forensic report mean?

Accepted Answer

An authentication failure means an email claiming to be from your domain failed SPF, DKIM, or DMARC checks. Common causes include: legitimate services not authorized in SPF, missing DKIM signatures, email forwarding breaking authentication, or actual spoofing attempts. Our viewer identifies the specific failure type (SPF fail, DKIM fail, alignment fail) and provides remediation steps.

Forensic Report Viewer

DMARC Summary Dashboard

Frequently Asked Questions

Related Tools

DMARC Analyzer

SPF Surveyor

DKIM Validator

Help & Resources

What is a Forensic DMARC Report?

How to Use This Tool

Learn More