RUA

A configuration tag used in a domain’s DMARC record. It tells email receivers where to send daily summary reports regarding email traffic claiming to be from that domain. Unlike RUF (Forensic) reports, which provide redacted copies of individual failed emails, RUA reports provide high-level, statistical data in XML format.

DMARC RUA Report Viewer

Key Components of RUA

• The Tag: In a DMARC record, it is defined as rua=.
• The Destination: The value following the tag is a URI, usually an email address (prefixed with mailto:).
• Data Provided:
  • IP addresses of the sending servers.
  • Number of messages sent from those IPs.
  • Authentication results for SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).
  • The action taken by the receiver (None, Quarantine, or Reject).

Why RUA Matters

• Visibility: It is the “radar” for your domain. Without RUA, you have no way of knowing if legitimate emails (like those from a third-party payroll tool) are failing authentication.
• Security: It helps identify “spoofing” attempts where malicious actors are trying to use your domain for phishing.
• Path to Enforcement: You generally shouldn’t move your DMARC policy to p=reject until you have analyzed RUA reports to ensure your own legitimate mail is properly configured.

Example of RUA in a DMARC Record

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com;

In this example, the domain owner is requesting that aggregate reports be sent to dmarc-reports@example.com.

Summary Table: RUA vs. RUF

Feature	RUA (Aggregate)	RUF (Forensic/Failure)
Frequency	Typically daily	Near real-time
Format	XML	AFRF (Email format)
Privacy	High (Contains no PII)	Low (Contains actual email content)
Primary Use	Monitoring and health checks	Troubleshooting specific failures