Skip to main content
New AI-powered DMARC analysis + open REST API See how → →
Forensic Reports

Forensic reports show you exactly
which emails failed - and why

DMARC forensic reports (RUF) provide per-message details about individual emails that failed DMARC authentication - the sender IP, email headers, subject line, and the specific mechanism that failed. They are your first line of investigation when spoofing is detected.

Analyze Your Reports Check Your DMARC Record
Definition

What is a DMARC
forensic report?

A DMARC forensic report (also called a failure report) is a per-message notification sent by a receiving mail server when an individual email fails DMARC authentication. Unlike aggregate reports that summarize volumes, forensic reports give you the actual details of each failed message.

Forensic reports are configured via the ruf= tag in your DMARC record. Not all receivers send forensic reports - notably, Gmail does not send RUF reports due to privacy concerns, according to Google's DMARC documentation.

Microsoft (Outlook/365) and Yahoo are among the major receivers that do send forensic reports. Combined with aggregate data, they provide a complete picture of your domain's email authentication health.

Forensic Report Detail
From
ceo@yourdomain.com
spoofed
Return-Path
bounce@malicious-server.ru
mismatch
Source IP
91.203.145.22
unauthorized
SPF Result
fail - IP not in SPF record
fail
DKIM Result
fail - no valid signature
fail
DMARC Disposition
reject
enforced
Subject
Urgent: Wire Transfer Required
suspicious
Use Cases

What you can investigate with forensic reports

Forensic reports are your investigative tool when aggregate reports flag suspicious activity. Each failure report gives you the evidence to determine what happened and take action.

Spoofing attempts

Identify attackers impersonating your executives, billing department, or support team. Forensic reports show the exact From address used, the true source IP, and the Return-Path mismatch.

Misconfigured third-party senders

Discover legitimate services (marketing platforms, CRMs, ticketing systems) sending as your domain without proper SPF/DKIM configuration. Fix them before tightening policy.

Forwarding failures

Email forwarding (mailing lists, .edu redirects, auto-forwards) breaks SPF alignment. Forensic reports reveal which forwarding paths cause failures so you can whitelist or implement ARC.

Shadow IT detection

Find unauthorized SaaS tools sending email as your domain without IT approval - forgotten trial accounts, marketing experiments, or employee-configured services.

Comparison

Aggregate vs forensic reports

Both report types serve different purposes. Aggregate reports provide the big picture; forensic reports provide the evidence. You need both for effective DMARC enforcement.

Feature
Aggregate (RUA)
Forensic (RUF)
Report type
Volume summary (XML)
Per-message detail
Frequency
Daily (24-hour batches)
Per failure (real-time or batched)
Granularity
Per source IP
Per individual message
Data included
IP, count, pass/fail, disposition
Full headers, subject, alignment detail
Privacy impact
Low - no message content
Higher - contains headers and subject
Receiver support
Near-universal
Limited - Gmail does not send RUF
DMARC tag
rua=
ruf=
Primary use
Trend analysis, sender discovery
Incident investigation, threat analysis
Privacy

Privacy considerations
for forensic reports

Forensic reports can contain personally identifiable information (PII) - subject lines, recipient email addresses, and full message headers. This is why some receivers choose not to send them, and why they require careful handling.

  • Gmail does not send forensic reports due to privacy policies
  • Microsoft sends forensic reports but may redact some fields
  • Yahoo sends forensic reports with varying levels of detail
  • Some enterprise receivers send full forensic data
  • DMARC Report processes forensic data securely with configurable retention
Forensic report data types
Email headers
Contains routing information and authentication results
Medium
Subject line
May reveal confidential communication topics
High
Recipient address
Identifies the target of the failed message
High
Source IP
Server IP address - not personally identifiable
Low
Authentication results
Technical pass/fail data with no PII
Low
Configuration

The fo= tag - controlling when reports fire

The fo= tag in your DMARC record tells receivers which failure types should trigger a forensic report. Each option gives you different granularity.

fo=0 Default

Generate a forensic report only when BOTH SPF and DKIM fail to produce an aligned pass. This is the most conservative setting and produces the fewest reports.

fo=1 Any failure

Generate a forensic report when EITHER SPF or DKIM fails to produce an aligned pass. Recommended - gives you visibility into partial failures that fo=0 would miss.

fo=d DKIM failure

Generate a report when any DKIM signature fails evaluation, regardless of alignment. Useful for debugging DKIM key rotation or selector issues.

fo=s SPF failure

Generate a report when SPF evaluation fails for any reason, regardless of alignment. Useful for identifying SPF configuration gaps or IP range changes.

Recommended configuration: Use fo=1 to capture the widest range of failures. During the monitoring phase (p=none), this gives you maximum visibility into authentication issues before you tighten your policy. Generate your record with our DMARC Record Generator.

FAQ

Frequently asked questions

Does Gmail send DMARC forensic reports?

No. Google has never sent RUF forensic reports due to privacy concerns about including email headers and subject lines in failure notifications. You will receive forensic reports from Microsoft (Outlook/365), Yahoo, and some enterprise receivers, but not from Gmail. Use aggregate reports for Gmail sender data.

Are forensic reports a privacy risk?

Forensic reports can contain PII including subject lines, recipient addresses, and full email headers. Some receivers redact sensitive fields or decline to send forensic reports entirely. DMARC Report processes forensic data securely with configurable data retention policies. Organizations subject to GDPR or CCPA should review their forensic data handling procedures.

What does fo=1 mean in a DMARC record?

The fo=1 option tells receivers to send a forensic report when ANY authentication mechanism fails (SPF or DKIM). The default fo=0 only triggers when BOTH SPF and DKIM fail. We recommend fo=1 for maximum visibility during the monitoring phase.

How do I enable forensic reports?

Add the ruf= tag to your DMARC record along with fo=1 for maximum coverage. Example: v=DMARC1; p=none; rua=mailto:rua@example.com; ruf=mailto:ruf@example.com; fo=1. Use our DMARC Record Generator to build the record.

Get full visibility into authentication failures

DMARC Report processes both aggregate and forensic reports in one dashboard - classifying threats and identifying unauthorized senders automatically.

Start Free Trial

What Users Say About Our Threat Detection

G2 Leader - DMARC

Rated 4.8/5 on G2 · 469 verified reviews

G2 Momentum Leader - DMARC
VU

Verified User in Information Technology and Services

5/5

"Best security tool for your own domains"

The weekly reports help me a lot to analyze quickly the emails sent from my domains and that gives me peace of mind.

8/31/2022 Verified on G2
RC

Ryan C.

Director

4.5/5

"Control Centre for Email Security"

I like that we can see and check all reports on just 1 platform. We manage multiple domains, and monitoring them all in one place is essential.

8/29/2022 Verified on G2
eg

eddy g.

Director

4.5/5

"A great solution to a common email problem."

I have been using them for the last month after my Google business email started giving DMARC errors. I didn't even know what it meant at that time. After a little googling I found that people can spoof it as well. So far so good — the best thing is it protects every email.

8/29/2022 Verified on G2
Read all 469 reviews on G2 →