DMARC Ruf Tag (failure reports)


The DMARC RUF tag is used to specify which email addresses should receive DMARC failure (or forensic) reports. These failure reports are much more detailed than DMARC Aggregate reports, as they represent a "sample" of an email message that failed SPF, DKIM, or DMARC tests. These DMARC failures are in essence samples of the aggregate statistics seen in DMARC Aggregate Reports. Compared to DMARC Aggregate Reports, Failure Reports have not widely been implemented with only a few email receivers (like NetEase, LinkedIn, & Hotmail) currently sending out these failure reports.

Even though only a few email receivers send these out, they can be useful when combined with DMARC Aggregate Reports to investigate a sample of a larger email delivery problem, such as an SPF or DKIM error. They can also be very useful in confirming Spoofing and Phishing attacks ongoing.

To receive failure reports with DMARC, the "ruf" tag is used. This tag acts similarly to the "rua" tag (which sends DMARC Aggregate Reports) in that it specifies the email address or email addresses to send failure reports to. This tag is formatted as a comma separate list of "mailto:" addresses. For example if you wanted to receive failure reports at the mailbox "" you would set the "ruf" tag to be ruf="";. If you wanted the reports to go to multiple emails or a DMARC Report processor the tag would look like this ruf="", "";

In the highlighted example below, a DMARC record is displayed with an email address set to receive DMARC failure reports:

v=DMARC1; p=quarantine; pct=25 ;;;