DMARC is not just about creating a record and defining DMARC policies. You have to gain insights into how it works and figure out if your record needs any advancements or demotions. This careful analysis is done by adding RUA and RUF tags to a record, followed by email addresses where you want to receive these reports.
This guide dives deep into RUA vs RUF reports.
DMARC RUA Report
In the first leg of this guide on RUA vs RUF reports, let’s see what is a DMARC RUA report and why do you need it.
So, the RUA report is short for aggregate report, and it includes information concerning your email-sending domain’s traffic. You get an overview of how emails come in and go out of your company. This general report doesn’t contain any sensitive information and is only meant to help you figure out the instances of false and true positives. If analyzed proficiently, it prevents phishing and domain spoofing attacks.
Inclusions of a DMARC RUA Report
RUA vs RUF reports contain different details, so you must choose to receive both of them for the fruition of the DMARC monitoring exercise. This is what a DMARC RUA report contains-
Failed Authentication Details
This section has the sending server’s IP address, the authenticated domain, and certain authentication mechanisms that fail the SPF and/or DKIM filters.
By reading message headers, you can trace malicious entities and identify potential risks associated with emailing.
Information on if a message has passed or failed the SPF and DKIM authentication checks. It also highlights occurrences of relevant error messages.
This gives a count of messages that didn’t go through the SPF and DKIM filters.
It highlights how the recipients’ servers treated the messages that failed the authentication checks.
Working of the ‘RUA’ Tag
Email servers that receive messages regularly send RUA reports to all domains with a properly configured DMARC policy. These reports comprise encrypted aggregate statistics in XML format and are directed to the email address(es) specified after “mailto:” in the RUA tag of your DMARC record.
To clarify, the RUA tag serves the purpose of specifying one or more email addresses where you wish to receive DMARC Aggregate Reports. It includes a comma-separated list of email addresses prefixed with “mailto:” to designate the recipients for the DMARC Aggregate Reports. Here’s an example of a DMARC record illustrating the use of the RUA tag:
v=DMARC1; p=none; RUA=mailto:email@example.com
Decoding the XML reports may be challenging for the ones who aren’t from a core technical background. So, it’s better to seek help from online DMARC report analyzing tools to gather, filter, and organize the reports for easy examination in a human-readable format; basically, it’s just plain English.
Please note that the email address you enter in the RUA tag field should actually be authorized to receive these reports. Otherwise, the process would fail to work. Also, you can choose to receive these reports on an email address that belongs to a different domain. In simpler terms, you can choose to receive RUA vs RUF reports of the example.com domain to anotherdomain.com. This is called external domain verification.
Image sourced from topsec.com
DMARC RUF Report
The concept of RUF reports was introduced to allow domain owners to take the benefit of a redacted copy of emails that failed DMARC compliance. Think of it as a comprehensive and detailed dossier that includes full-length details of unauthenticated messages so that you can try tracing back the culprit.
It also helps to analyze the wrongdoings that cause false positives for genuine email senders.
Inclusions of a DMARC RUF Report
RUA vs RUF reports have different details. Here’s what the latter one contains-
You get details on whether a message has passed or failed SPF and DKIM checks. It takes domain owners through their domain’s email utility patterns.
It entails details on the email sender, recipient, subject line, and timestamps to understand the context of failed messages dispatched from your domain. This way, you get to evaluate the story behind false positives and make adjustments in your DMARC record accordingly.
Domain owners can examine the contents of suspicious messages in order to identify and investigate potential wrongdoers, if feasible. Analyzing links and attachments assists in establishing connections and understanding the overall context.
RUF reports are sent in encrypted form to avoid their exploitation.
Working of the ‘RUA’ Tag
RUF or DMARC forensic reports are dispatched in cases where an email claiming to be from your domain does not pass DMARC authentication. If there is a failure in SPF and DKIM alignment, the Internet Service Provider generates a forensic report, signaling an issue with a sending IP.
Similar to RUA reports, RUF reports are directed to the email address specified in the RUF tag of your DMARC record, following the “mailto:” format. These reports offer insights into the reasons behind the failure of some legitimate messages and provide visibility into how unauthorized IPs using your domain structure their messages.
The nature of the failure is indicated by the ‘fo’ tag, while the designated email address for receiving RUF reports is specified in the ‘RUF’ tag. For instance:
v=DMARC1; p=reject; RUA=mailto:firstname.lastname@example.org;RUF=mailto:email@example.com; sp=none; fo=0;
DMARC reporting and monitoring completes the whole process of email security and authentication. We at DMARCReport offer on-demand compliance for organizations functioning under the European GDPR structure to ensure smooth operations and no regulatory issues.
Visit our knowledge support center before getting started.