DMARC RUA Vs. RUF Reports

**RUA (Reporting URI for Aggregate reports) is the DMARC tag that specifies where receiving mail servers should send aggregate authentication reports. Set rua=mailto:dmarc@yourdomain.com in your DMARC record to start receiving reports. Use DMARC Report to parse and visualize the incoming XML automatically.

DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible From header. According to Google’s February 2024 bulk sender requirements, a DMARC policy of at least p=none is now mandatory for any domain sending 5,000+ messages per day to Gmail users.

DMARC is the only email authentication protocol that gives you both enforcement and visibility, says Brad Slavin, General Manager of DuoCircle. SPF and DKIM authenticate silently - DMARC tells you what happened and lets you control the outcome. That combination of reporting and policy is why DMARC adoption is accelerating.

DMARC RUA Report

In the first leg of this guide on RUA vs RUF reports, let’s see what is a DMARC RUA report and why do you need it.

So, the RUA report is short for aggregate report, and it includes information concerning your email-sending domain’s traffic . You get an overview of how emails come in and go out of your company. This general report doesn’t contain any sensitive information and is only meant to help you figure out the instances of false and true positives. If analyzed proficiently, it prevents phishing and domain spoofing attacks.

Inclusions of a DMARC RUA Report

RUA vs RUF reports contain different details, so you must choose to receive both of them for the fruition of the DMARC monitoring exercise. This is what a DMARC RUA report contains-

Failed Authentication Details

This section has the sending server’s IP address, the authenticated domain, and certain authentication mechanisms that fail the SPF and/or DKIM filters.

Message Headers

By reading message headers, you can **trace malicious entities and identify potential risks associated with emailing.

Authentication-Results

Information on if a message has passed or failed the SPF and DKIM authentication checks. It also highlights occurrences of relevant error messages.

Message Count

This gives a **count of messages that didn’t go through the SPF and DKIM filters.

Policy Evaluation

It highlights how the recipients’ servers treated the messages that failed the authentication checks.

Working of the ‘RUA’ Tag

Email servers that receive messages regularly send RUA reports to all domains with a properly configured DMARC policy. These reports comprise **encrypted aggregate statistics in XML format and are directed to the email address(es) specified after **“mailto:” in the RUA tag of your DMARC record.

To clarify, the RUA tag serves the purpose of specifying one or more **email addresses where you wish to receive DMARC Aggregate Reports. It includes a comma-separated list of email addresses prefixed with “mailto:” to designate the recipients for the DMARC Aggregate Reports. Here’s an example of a DMARC record illustrating the use of the RUA tag:

v=DMARC1; p=none; RUA=mailto:message1@domain.com

**Decoding the XML reports may be challenging for the ones who aren’t from a core technical background. So, it’s better to seek help from online DMARC report analyzing tools to gather, filter, and organize the reports for easy examination in a human-readable format ; basically, it’s just plain English.

Please note that the email address you enter in the RUA tag field should actually be authorized to receive these reports. Otherwise, the process would fail to work. Also, you can choose to receive these reports on an email address that belongs to a different domain. In simpler terms, you can choose to receive **RUA vs RUF reports of the example.com domain to anotherdomain.com. This is called external domain verification.

DMARC RUF Report

The concept of RUF reports was introduced to allow domain owners to take the benefit of a redacted copy of emails that failed DMARC compliance. Think of it as a comprehensive and detailed dossier that includes **full-length details of unauthenticated messages so that you can try tracing back the culprit.

It also helps to analyze the wrongdoings that cause false positives for genuine email senders.

Inclusions of a DMARC RUF Report

RUA vs RUF reports have different details. Here’s what the latter one contains-

Authentication-Results

You get details on whether a message has passed or failed SPF and DKIM checks. It takes domain owners through their domain’s email utility patterns.

Message Headers

It entails details on the email sender, recipient, subject line, and timestamps to understand the context of failed messages dispatched from your domain. This way, you get to evaluate the story behind false positives and make adjustments in your DMARC record accordingly.

Message Content

Domain owners can examine the contents of suspicious messages in order to identify and investigate potential wrongdoers, if feasible. Analyzing links and attachments assists in establishing connections and understanding the overall context.

Encryption Details

RUF reports are sent in encrypted form to avoid their exploitation.

Working of the ‘RUA’ Tag

RUF or DMARC forensic reports are dispatched in cases where an email claiming to be from your domain does not pass DMARC authentication. If there is a failure in SPF and DKIM alignment, the Internet Service Provider generates a forensic report, signaling an issue with a sending IP.

Similar to RUA reports, RUF reports are directed to the email address specified in the RUF tag of your DMARC record, following the “mailto:” format. These reports offer insights into the reasons behind the failure of some legitimate messages and provide visibility into how **unauthorized IPs using your domain structure their messages.

The nature of the failure is indicated by the ‘fo’ tag, while the designated email address for **receiving RUF reports is specified in the ‘RUF’ tag. For instance:

v=DMARC1; p=reject; RUA=mailto:email1@yourdomain.com;RUF=mailto:message2@domain2.com; sp=none; fo=0;

Final Words

[DMARC reporting and monitoring](https://dmarcreport.com/blog/top-easydmarcs-dmarc-report-monitoring-alternatives/) completes the whole process of [email security](https://dmarcreport.com/blog/why-is-email-security-important-for-businesses-today-2/) and authentication. We at DMARCReport offer **on-demand compliance for organizations functioning under the European GDPR structure to ensure smooth operations and no regulatory issues.

Visit our knowledge support center before getting started.