DMARC RUF Tag (failure reports)

The DMARC RUF tag is used to specify which email addresses should receive DMARC failure (or forensic) reports. These failure reports are much more detailed than DMARC aggregate reports because they represent a "sample" of an email message that failed SPF, DKIM, or DMARC tests. These DMARC failures are in essence samples of the aggregate statistics seen in DMARC aggregate reports. Compared to DMARC aggregate reports, failure reports have not widely been implemented, with only a few email receivers (like NetEase, LinkedIn, and Hotmail) currently sending out these failure reports.

Even though only a few email receivers send these out, they can be useful when combined with DMARC aggregate reports to investigate a sample of a larger email delivery problem, such as an SPF or DKIM error. They can also be very useful in confirming spoofing and phishing attacks.

To receive failure reports with DMARC, the "ruf" tag is used. This tag acts similarly to the "rua" tag (which sends DMARC Aggregate Reports) in that it specifies the email address or email addresses to send failure reports to. This tag is formatted as a comma-separated list of mailto: addresses. For example, if you want to receive failure reports at the mailbox "dmarc-failures@example.com", you would set the "ruf" tag to ruf="mailto:dmarc-failures@example.com";. If you want the reports to go to multiple emails or a DMARC report processor, the tag would be similar to ruf="mailto:dmarc-failures@example.com", "mailto:dmarc-failures@mxtoolbox.com";

In the highlighted example below, a DMARC record is displayed with an email address set to receive DMARC failure reports: