--- title: "What Are DMARC Forensic Reports? Understanding RUF Failure Reports | DMARC Report" description: "DMARC forensic reports (RUF) provide per-message details about individual emails that failed authentication - sender IP, headers, subject line, and the specific failure reason. Learn how to enable and read forensic reports." image: "https://dmarcreport.com/images/og-default.png" canonical: "https://dmarcreport.com/dmarc-forensic-report/" --- Forensic Reports # Forensic reports show you exactly which emails failed - and why DMARC forensic reports (RUF) provide per-message details about individual emails that failed DMARC authentication - the sender IP, email headers, subject line, and the specific mechanism that failed. They are your first line of investigation when spoofing is detected. [ Analyze Your Reports โ†’ ](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) Definition ## What is a DMARC forensic report? A DMARC forensic report (also called a failure report) is a per-message notification sent by a receiving mail server when an individual email fails DMARC authentication. Unlike [aggregate reports](/dmarc-aggregate-reports/) that summarize volumes, forensic reports give you the actual details of each failed message. Forensic reports are configured via the `ruf=` tag in your DMARC record. Not all receivers send forensic reports - notably, Gmail does not send RUF reports due to privacy concerns, according to [Google's DMARC documentation](https://support.google.com/a/answer/2466580). Microsoft (Outlook/365) and Yahoo are among the major receivers that do send forensic reports. Combined with aggregate data, they provide a complete picture of your domain's email authentication health. Forensic Report Detail From ceo@yourdomain.com spoofed Return-Path bounce@malicious-server.ru mismatch Source IP 91.203.145.22 unauthorized SPF Result fail - IP not in SPF record fail DKIM Result fail - no valid signature fail DMARC Disposition reject enforced Subject Urgent: Wire Transfer Required suspicious Use Cases ## What you can investigate with forensic reports Forensic reports are your investigative tool when aggregate reports flag suspicious activity. Each failure report gives you the evidence to determine what happened and take action. ### Spoofing attempts Identify attackers impersonating your executives, billing department, or support team. Forensic reports show the exact From address used, the true source IP, and the Return-Path mismatch. ### Misconfigured third-party senders Discover legitimate services (marketing platforms, CRMs, ticketing systems) sending as your domain without proper SPF/DKIM configuration. Fix them before tightening policy. ### Forwarding failures Email forwarding (mailing lists, .edu redirects, auto-forwards) breaks SPF alignment. Forensic reports reveal which forwarding paths cause failures so you can whitelist or implement ARC. ### Shadow IT detection Find unauthorized SaaS tools sending email as your domain without IT approval - forgotten trial accounts, marketing experiments, or employee-configured services. Comparison ## Aggregate vs forensic reports Both report types serve different purposes. Aggregate reports provide the big picture; forensic reports provide the evidence. You need both for effective DMARC enforcement. Feature Aggregate (RUA) Forensic (RUF) Report type Volume summary (XML) Per-message detail Frequency Daily (24-hour batches) Per failure (real-time or batched) Granularity Per source IP Per individual message Data included IP, count, pass/fail, disposition Full headers, subject, alignment detail Privacy impact Low - no message content Higher - contains headers and subject Receiver support Near-universal Limited - Gmail does not send RUF DMARC tag rua= ruf= Primary use Trend analysis, sender discovery Incident investigation, threat analysis Privacy ## Privacy considerations for forensic reports Forensic reports can contain personally identifiable information (PII) - subject lines, recipient email addresses, and full message headers. This is why some receivers choose not to send them, and why they require careful handling. - Gmail does not send forensic reports due to privacy policies - Microsoft sends forensic reports but may redact some fields - Yahoo sends forensic reports with varying levels of detail - Some enterprise receivers send full forensic data - DMARC Report processes forensic data securely with configurable retention Forensic report data types Email headers Contains routing information and authentication results Medium Subject line May reveal confidential communication topics High Recipient address Identifies the target of the failed message High Source IP Server IP address - not personally identifiable Low Authentication results Technical pass/fail data with no PII Low Configuration ## The `fo=` tag - controlling when reports fire The `fo=` tag in your DMARC record tells receivers which failure types should trigger a forensic report. Each option gives you different granularity. `fo=0` Default Generate a forensic report only when BOTH SPF and DKIM fail to produce an aligned pass. This is the most conservative setting and produces the fewest reports. `fo=1` Any failure Generate a forensic report when EITHER SPF or DKIM fails to produce an aligned pass. Recommended - gives you visibility into partial failures that fo=0 would miss. `fo=d` DKIM failure Generate a report when any DKIM signature fails evaluation, regardless of alignment. Useful for debugging DKIM key rotation or selector issues. `fo=s` SPF failure Generate a report when SPF evaluation fails for any reason, regardless of alignment. Useful for identifying SPF configuration gaps or IP range changes. **Recommended configuration:** Use `fo=1` to capture the widest range of failures. During the monitoring phase (p=none), this gives you maximum visibility into authentication issues before you tighten your policy. Generate your record with our [DMARC Record Generator](/tools/dmarc-record-generator/). FAQ ## Frequently asked questions ### Does Gmail send DMARC forensic reports? No. Google has never sent RUF forensic reports due to privacy concerns about including email headers and subject lines in failure notifications. You will receive forensic reports from Microsoft (Outlook/365), Yahoo, and some enterprise receivers, but not from Gmail. Use [aggregate reports](/dmarc-aggregate-reports/) for Gmail sender data. ### Are forensic reports a privacy risk? Forensic reports can contain PII including subject lines, recipient addresses, and full email headers. Some receivers redact sensitive fields or decline to send forensic reports entirely. DMARC Report processes forensic data securely with configurable data retention policies. Organizations subject to GDPR or CCPA should review their forensic data handling procedures. ### What does fo=1 mean in a DMARC record? The `fo=1` option tells receivers to send a forensic report when ANY authentication mechanism fails (SPF or DKIM). The default `fo=0` only triggers when BOTH SPF and DKIM fail. We recommend `fo=1` for maximum visibility during the monitoring phase. ### How do I enable forensic reports? Add the `ruf=` tag to your DMARC record along with `fo=1` for maximum coverage. Example: `v=DMARC1; p=none; rua=mailto:rua@example.com; ruf=mailto:ruf@example.com; fo=1`. Use our [DMARC Record Generator](/tools/dmarc-record-generator/) to build the record. ## Get full visibility into authentication failures DMARC Report processes both aggregate and forensic reports in one dashboard - classifying threats and identifying unauthorized senders automatically. [Start Free Trial](https://app.dmarcreport.com/) ## What Users Say About Our Threat Detection ![G2 Leader - DMARC](https://media.mailhop.org/dmarcreport/images/g2-badges/DMARC_Leader_Leader.png) Rated 4.8/5 on G2 ยท 469 verified reviews ![G2 Momentum Leader - DMARC](https://media.mailhop.org/dmarcreport/images/g2-badges/DMARC_MomentumLeader_Leader.png) VU Verified User in Information Technology and Services 5/5 ### "Best security tool for your own domains" The weekly reports help me a lot to analyze quickly the emails sent from my domains and that gives me peace of mind. 8/31/2022Verified on G2 RC Ryan C. Director 4.5/5 ### "Control Centre for Email Security" I like that we can see and check all reports on just 1 platform. We manage multiple domains, and monitoring them all in one place is essential. 8/29/2022Verified on G2 eg eddy g. Director 4.5/5 ### "A great solution to a common email problem." I have been using them for the last month after my Google business email started giving DMARC errors. I didn't even know what it meant at that time. After a little googling I found that people can spoof it as well. So far so good โ€” the best thing is it protects every email. 8/29/2022Verified on G2 [Read all 469 reviews on G2 โ†’](https://www.g2.com/products/dmarc-report/reviews) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"Does Gmail send DMARC forensic reports?","acceptedAnswer":{"@type":"Answer","text":"No. Google has never sent RUF forensic reports due to privacy concerns about including email headers and subject lines. You will receive forensic reports from Microsoft (Outlook/365), Yahoo, and some enterprise receivers, but not Gmail."}},{"@type":"Question","name":"Are forensic reports a privacy risk?","acceptedAnswer":{"@type":"Answer","text":"Forensic reports can contain personally identifiable information including subject lines, recipient addresses, and full email headers. Some receivers redact sensitive fields or do not send forensic reports at all. DMARC Report processes forensic data securely and provides controls for data retention."}},{"@type":"Question","name":"What does fo=1 mean in a DMARC record?","acceptedAnswer":{"@type":"Answer","text":"The fo=1 option tells receivers to send a forensic report whenever ANY authentication mechanism fails (SPF or DKIM). The default fo=0 only triggers a report when BOTH SPF and DKIM fail. Using fo=1 gives you broader visibility into failures."}},{"@type":"Question","name":"How are forensic reports different from aggregate reports?","acceptedAnswer":{"@type":"Answer","text":"Aggregate reports (RUA) are daily XML summaries showing volume and pass/fail rates per source IP. Forensic reports (RUF) provide per-message details about individual failures - the actual email headers, sender IP, subject line, and the specific authentication mechanism that failed. Learn more at /dmarc-aggregate-reports/."}}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Learn","item":"https://dmarcreport.com/what-is-dmarc/"},{"@type":"ListItem","position":3,"name":"Forensic Reports","item":"https://dmarcreport.com/dmarc-forensic-report/"}]} ```