A configuration tag in a DMARC record that identifies the destination where email receivers should send Failure Reports (historically called Forensic Reports). Unlike aggregate data, RUF provides detailed, individual snapshots of specific messages that failed SPF, DKIM, or DMARC alignment.
Key Components of RUF
- The Tag: Represented in the DNS record as
ruf=. - The Destination: A URI, typically an email address (e.g.,
mailto:security@example.com). - Data Provided:
- The full header of the failed email.
- The subject line.
- The body of the message (often redacted for privacy).
- Specific reasons for the authentication failure.
Why RUF Matters
- Granular Troubleshooting: While RUA tells you that a server is failing, RUF can show you why by providing the specific headers and message details needed to debug complex mail flow issues.
- Phishing Forensics: It allows security teams to see the exact content of a spoofing attack, helping them identify the “lure” being used against their customers or employees.
- Real-time Alerting: Since RUF reports are generated almost immediately after a failure occurs, they serve as a near real-time alert system for domain abuse.
Example of RUF in a DMARC Record
v=DMARC1; p=reject; rua=mailto:agg@example.com; ruf=mailto:forensics@example.com; fo=1;In this example, the fo=1 tag is often used alongside RUF to tell the receiver to generate a report if any underlying authentication mechanism (SPF or DKIM) fails.
Summary Table: RUF vs. RUA
| Feature | RUF (Forensic/Failure) | RUA (Aggregate) |
| Level of Detail | Individual message level | High-level traffic statistics |
| Delivery Timing | Near real-time | Usually every 24 hours |
| Privacy Risk | Higher (may contain PII) | Very low (metadata only) |
| Primary Goal | Detailed forensic investigation | General monitoring and alignment |
Privacy Considerations
Due to privacy regulations (like GDPR) and the risk of exposing sensitive user data contained in email headers or bodies, many major mailbox providers (such as Gmail and Outlook) have limited or stopped sending RUF reports entirely. Organizations often use third-party DMARC analysis tools to securely ingest and redact these reports.