How DMARC Forensic Reports Work

When a receiving server detects a DMARC failure, it generates a per-message report and sends it to the address specified in your ruf= tag. DMARC forensic reports use the Abuse Reporting Format (ARF), an industry-standard format for reporting email abuse.

Each report can include:

• Message headers
• The sending address
• Authentication results (SPF and DKIM)
• Time of reception
• DKIM signature
• Sending host
• Subject line
• Message ID

The fo= tag controls when reports are generated:

One important limitation: Not all receiving servers send DMARC forensic reports. Support is inconsistent across providers, and some major providers – including Gmail – don’t send RUF reports. This means forensic report data will never be complete. Use it alongside aggregate report data, not as a replacement for it.

DMARC Forensic Reports vs. Aggregate Reports

Understanding when to use each report type helps security teams get the most from their DMARC configuration.

Aggregate reports are the primary tool for day-to-day visibility and policy enforcement. Forensic reports are most useful when aggregate data surfaces a problem, but doesn’t explain it.

You can configure both in a single DMARC record:

Privacy Considerations for DMARC Forensic Reports

Forensic reports can contain sensitive message content, including headers, subject lines, and, in some cases, body text from emails that failed DMARC. This creates data handling obligations that vary by region and industry.

Organizations subject to GDPR or similar privacy regulations should assess whether enabling ruf= is appropriate before doing so. If forensic reports capture personal data from third-party emails, that data must be handled in line with the applicable law.

Before enabling forensic reporting:

• Confirm your legal basis for collecting and processing report data
• Ensure the reporting mailbox is access-controlled and appropriately secured
• Review your data retention obligations for report content

Note that some receiving servers redact sensitive fields – such as body content, which can reduce the privacy risk but also limit the detail available for investigation.

Acting on Forensic Report Data

DMARC forensic reports are most useful when treated as part of an investigation. They help you:

• Investigate unfamiliar sending IPs. If a forensic report includes a sending IP you don’t recognize, check whether it’s an unauthorized sender or a legitimate service that isn’t correctly configured. Unauthorized senders should be removed or blocked; legitimate senders need to be authorized in your SPF and DKIM configurations.
• Diagnose the authentication failure. The authentication results in each report show whether the failure was caused by SPF or DKIM issues, or both. This determines what needs to be fixed.
• Build audit trails. Forensic report data supports internal investigations and provides credible evidence to audit and risk committees.

Parsing and acting on forensic report data manually isn’t practical. A DMARC management platform parses and surfaces failure report data across all your domains, so your team can investigate faster.

Unified Visibility Into DMARC Reporting

DMARC forensic reports surface details that aggregate data alone can’t provide. They identify specific authentication failures and give security teams the visibility needed to investigate spoofing attempts, eliminate unauthorized senders, and support compliance reporting.

Managing forensic report data across multiple domains requires more than a reporting mailbox. Sendmarc’s DMARC Management solution gives teams unified visibility into authentication failures, sending sources, and DMARC compliance.

Sendmarc provides:

• Aggregate and forensic reporting in a single dashboard
• Identification of unauthorized or unknown email senders
• Continuous monitoring without increasing internal workload
• Audit trails to support compliance and governance requirements

See how Sendmarc gives your team unified visibility into DMARC reporting.