Back to Blog

RUA and RUF in DMARC

DMARC includes more than simply setting up DMARC policies and providing records. You must learn how it operates and determine whether your record requires any promotions or downgrades. Adding RUA and RUF tags to a record and then the email addresses you choose to receive these reports is how this thorough examination is carried out. RUA and RUF are two kinds of reporting mechanisms in DMARC (Domain-based Message Authentication, Reporting, and Conformance) that assist domain owners in keeping an eye on how their email is being used or abused.

RUA and RUF in DMARC
5/21/2025

What is RUA in DMARC

Let's examine what a DMARC RUA report is and why you need one in the first section of this article on RUA vs. RUF reports. The RUA report, which stands for aggregate report, contains data about the traffic to your email-sending domain. You receive a summary of the emails that enter and exit your business. This broad dmarc report is simply intended to assist you in distinguishing between false and real positives; it does not include any sensitive information. When properly examined, it stops domain spoofing and phishing assaults.


A DMARC RUA Report's Content

For the DMARC monitoring exercise to be successful, you must select to receive both the RUF and RUA reports because they contain distinct information. A DMARC RUA report includes the following information:


Details of the unsuccessful authentication 

The IP address of the sending server, the authenticated domain, and specific authentication methods that are rejected by the SPF and/or DKIM filters are all included in this section.


1. Headers for Messages 

You can track down hostile entities and spot possible emailing hazards by looking at message headers.


2. Results of Authentication

Details about whether a message succeeded or failed the DKIM and SPF authenticity checks. Additionally, it highlights instances of pertinent error messages.


3. Number of Messages 

The number of messages that escaped the SPF and DKIM filters is shown here.


How the "RUA" Tag Operates

All domains with a correctly implemented DMARC policy receive RUA reports from email servers that receive messages on a regular basis. These reports, which are sent to the email address or addresses listed after "mailto:" in the RUA tag of your DMARC record, contain encrypted aggregate statistics in XML format.


To be clear, you can specify one or more email addresses where you would like to receive DMARC Aggregate Reports by using the RUA tag. To identify the recipients for the DMARC Aggregate Reports, it contains a list of email addresses preceded by "mailto:" that are separated by commas.


What is RUF in DMARC?

The initial purpose of RUF data was to give domain owners redacted copies of emails that didn't comply with DMARC. When trying to determine the actual source of valid email streams that require repair, domain owners might use the extra information included in forensic reports. The majority of DMARC reporters do not report on RUF because to privacy concerns over partial or insufficient redaction. Because of privacy considerations, domain owners in sensitive industries (such as healthcare, finance, government, or education) should carefully evaluate whether to allow forensic reporting.


Because RUF reporting can extract harmful URLs in almost real-time, it was first utilized to support specialized threat intelligence tasks. After processing, these harmful URLs might be supplied to takedown services. Effective takedown intelligence based on RUF reporting needs to be supplemented with specific data feeds from the greater threat intelligence community because DMARC reporters do not typically give RUF reporting.


How Do RUF Tags Operate?

When an email claiming to be from your domain fails DMARC authentication, RUF or Forensic reports are generated. The Internet service provider creates a forensic report showing a problem with a sending IP when the SPF and DKIM alignment is unsuccessful. Similar to RUA reports, RUF reports are sent to the "mailto:" address listed in your DMARC record's RUF tag. In addition to showing you how illegal IPs using your domain craft their messages, these reports might help you understand why certain valid messages are failing.


A DMARC RUF Report's Contents

Details in RUF and RUA reports differ. The latter one includes the following:


1. Results of Authentication

Information on whether a message succeeded or failed SPF and DKIM checks is sent to you. It walks domain owners through the email utility patterns for their domain.


2. Headers for Messages

To comprehend the context of unsuccessful emails sent from your domain, it includes information about the sender, recipient, subject line, and timestamps. In this manner, you may assess the narrative


3. Message Content

If possible, domain owners can look through the contents of questionable communications to find and look into possible wrongdoers. Making connections and comprehending the larger context are aided by the analysis of attachments and links.


4. Details of Encryption 

To prevent exploitation, RUF reports are transmitted in an encrypted format.


5. Action of the "RUA" Tag

When an email purporting to be from your domain fails DMARC authentication, RUF or DMARC forensic reports are sent. The Internet service provider creates a forensic report to indicate a problem with a sending IP if SPF and DKIM alignment fails. Like RUA reports, RUF reports are sent using the "mailto:" format to the email address listed in your DMARC record's RUF tag. These reports reveal the structure of messages sent by illegal IPs using your domain and provide insights into why some acceptable communications fail.


Frequent Asked Questions


1. Should I use both RUF and RUA?

No, it is not required to use both RUA and RUF. The most popular reports for tracking the status of your domain's email authentication are RUA reports. Despite their usefulness, RUF reports are less frequently used because of privacy concerns because they may contain sensitive information (such as email headers). RUA is typically adequate to monitor problems and possible misuse of your domain if you're just getting started with DMARC.


2. What sort of information can I expect to find in the RUA (aggregate) reports?

A overview of DMARC data is given via RUA reports, which include:

How many emails are sent from your domain?

How many emails both passed and failed DKIM and SPF checks?

The IP addresses that are sending emails on your behalf are the sources. Outcomes of DMARC alignment checks, which determine if emails sent from your domain complied with the DMARC guidelines.


3. What risks come with not using RUF and RUA?

Absence of Visibility You won't be able to determine whether your domain is being used in phishing efforts or how well your email authentication is working without RUA (aggregate reporting).

Unresolved Issues: In the absence of RUF reports, you can overlook particular email failures that might indicate security flaws or illegal domain usage. Generally speaking, it's a good idea to set up at least RUA reporting so you can keep an eye on the health of your domain and identify possible problems early.

Table of Contents

Blog
Continue reading
blog image

How To Setup DMARC and What's the purpose of DMARC

The crucial email authentication strategy known as DMARC guards against malware and email impersonating attempts. When you set it dmarc record up thoroughly, you can monitor and enhance email deliverability and security while ensuring that only consented to senders can use your domain to transmit emails. The promised content of DMARC is to make emails safer by providing visibility through DMARC report analyzers. Improving sender authentication with SPF generators. Improving email content security with safe link checkers. It extends SPF and DKIM by incorporating a layer of authentication based on the "From:" domain. DMARC instructs recipient email servers what to do with emails that fail SPF or DKIM tests, allowing domain owners to designate whether to reject, quarantine, or allow delivery of such emails.

blog image

How to Set Up the DMARC Policy for Quarantine or Rejection

Your domain does not have a DMARC policy configured to either quarantine or reject non-compliant mail, as shown by the warning "DMARC quarantine reject policy not enabled." Many other providers issue identical warnings when your DMARC policy is not robust enough, even though mxtoolbox.com is the source of this precise wording.

blog image

How does DMARC be Affective?

In order to comprehend how DMARC works, you should be conscious that it requires either an SPF or DKIM record, probably both. When an email becomes available, the receiving server performs a DNS (Domain Name System) lookup to see if there is an existing DMARC record.

Secure Your Emails Today Take the First Step!
DMARCLYTICSDMARCLYTICS

Tools

Aggregate ReportEmail Spam TestingSPF CheckerDKIM CheckerDMARC Checker

Company

About UsData Center LocationFeaturesKnowledge Base

Support

Privacy PolicyTerm of ServiceContact UsCareer
©2025 All Rights Reserved