Every DMARC record can include two reporting addresses: rua= for aggregate reports and ruf= for forensic (failure) reports. Most guides tell you to add both without explaining what they contain or why they are different. Here is what each one actually sends you.
What is rua?
rua (Reporting URI for Aggregate reports) is the DMARC tag that tells receiving mail servers where to send daily XML summary reports. These reports aggregate all authentication activity for your domain into a single file per reporting period, per sending provider.Aggregate reports are the workhorse of DMARC monitoring. They give you a statistical view of your email authentication posture:
- Which IP addresses sent mail claiming to be from your domain
- How many messages each IP sent
- What DKIM and SPF results each IP produced
- What your DMARC policy was at the time
- What the receiving server did with each group of messages (none, quarantine, reject)
Aggregate reports do not contain individual message content, recipient addresses, subject lines, or message bodies. They are purely statistical.
What is ruf?
ruf (Reporting URI for Failure/Forensic reports) is the DMARC tag that tells receiving mail servers where to send per-message failure reports. A forensic report is generated for each individual message that fails DMARC, and it includes detailed information about that specific message.Forensic reports are modeled after the Abuse Reporting Format (ARF) and typically contain:
- The full message headers of the failing email
- The original From:, To:, Subject:, and Date: headers
- Authentication results (DKIM, SPF, DMARC)
- In some cases, the full message body
Side-by-side comparison
| Property | rua (Aggregate) | ruf (Forensic) |
|---|---|---|
| Report format | XML (compressed .gz or .zip) | MIME email with ARF attachment |
| Frequency | Once per day per reporting provider | Once per failing message (can be very high volume) |
| What it contains | Aggregated statistics by source IP | Headers and possibly body of each failing message |
| Contains PII? | No — only IPs, counts, pass/fail rates | Yes — recipient addresses, subjects, sometimes message body |
| Who sends it? | Google, Microsoft, Yahoo, Apple, most providers | Yahoo and some smaller providers. Google and Microsoft do not. |
| Volume | Predictable — one file per day per provider | Unpredictable — can flood your inbox during a spoofing attack |
| GDPR risk | Low | High — message headers contain personal data |
| Usefulness | High — primary tool for DMARC monitoring | Low in practice — most providers do not send them |
How to configure rua and ruf
Both tags are comma-separated lists of mailto: URIs in your DMARC TXT record:
v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-failures@example.com; fo=1
You can send reports to multiple addresses by separating them with commas:
rua=mailto:dmarc@example.com,mailto:dmarc@thirdparty-analyzer.com
If the reporting address is on a different domain than the one being reported on, that other domain must publish a special DNS record granting permission:
_report._dmarc.thirdparty.com TXT "v=DMARC1"
The fo tag — controlling when forensic reports are sent
The fo= tag controls the conditions under which forensic reports are generated. It only applies to ruf:
| fo value | Report generated when… |
|---|---|
fo=0 (default) | Both SPF and DKIM fail (the message fails both checks) |
fo=1 | Either SPF or DKIM fails (generates more reports) |
fo=d | DKIM fails (only DKIM-specific failures) |
fo=s | SPF fails (only SPF-specific failures) |
Should you configure ruf?
For most domains, the answer is: configure rua, skip ruf for now. Here is why:
- Google and Microsoft do not send ruf reports. Since these two providers account for the majority of email received globally, configuring ruf will result in very few reports from the sources that matter most.
- Forensic reports contain personal data. Message headers include real email addresses of real people. Storing these reports creates GDPR obligations and data retention complexity that aggregate reports do not.
- ruf can flood your inbox during an attack. If someone is spoofing your domain aggressively and a provider sends ruf reports, you could receive thousands of report emails per hour.
- Aggregate reports (rua) contain all the information you need.The source IP, count, and authentication result from the aggregate report is sufficient to diagnose and fix any DMARC configuration problem.
ruf, use a dedicated mailbox (not a shared inbox), set fo=1 to capture all failures, and ensure the mailbox has adequate retention controls to comply with your data protection obligations.Which providers send rua and ruf?
| Provider | Sends rua? | Sends ruf? | Report sender address |
|---|---|---|---|
| Google / Gmail | Yes | No | noreply-dmarc-support@google.com |
| Microsoft / Outlook | Yes | No | dmarcreport@microsoft.com |
| Yahoo / AOL | Yes | Yes (limited) | postmaster@dmarc.yahoo.com |
| Apple | Yes | No | postmaster@apple.com |
| Fastmail | Yes | Yes | Various |
The privacy risk of ruf reports
DMARC forensic reports can contain personally identifiable information. A forensic report for a spoofed phishing message sent to a Gmail user might include:
- The recipient Gmail address in the
To:header - The Subject line of the phishing email
- The full message body (in some implementations)
- Timestamps revealing when the recipient was targeted
Under GDPR and similar regulations, receiving and storing this data requires a legal basis and appropriate safeguards. This is the primary reason why Google and Microsoft declined to implement ruf reporting.
For this reason, how you handle DMARC report data matters. Processing reports locally — without uploading them to a third-party SaaS tool — keeps any sensitive data on your own device.
Frequently asked questions
What is rua in DMARC?
rua is the Reporting URI for Aggregate reports — the email address where receiving providers send daily XML summary files showing authentication statistics for mail claiming to be from your domain.
What is ruf in DMARC?
ruf is the Reporting URI for Failure/Forensic reports — the email address where providers send per-message reports for individual emails that fail DMARC. These contain message headers and potentially message content.
Which providers send DMARC forensic reports?
Google and Microsoft do not send forensic reports due to privacy concerns. Yahoo and some smaller providers do. In practice, you will receive very few ruf reports even if you configure the tag.
What is the fo tag in DMARC?
The fo= tag controls when forensic reports are generated: fo=0 (both mechanisms fail), fo=1 (either mechanism fails), fo=d (DKIM fails), fo=s (SPF fails). Only relevant if you have ruf= configured.
.xml, .gz, or .zip file to DMARC Labs. Your file is processed entirely in your browser — it is never sent to a server, which addresses exactly the privacy concerns that make ruf problematic.In summary: configure rua= for every domain — it is the primary tool for DMARC monitoring. Add ruf= only if you have a specific need for per-message failure forensics and a process for handling the personal data it contains. The aggregate reports from Google and Microsoft alone are sufficient to monitor, diagnose, and enforce your DMARC policy.