D

DMARC afrf

Learn what DMARC AFRF forensic reports are, how they provide detailed failure insights, and how DMARCeye uses them for deeper authentication analysis.

Jack Zagorski
Oct 6, 2025

What is DMARC afrf?

The DMARC “afrf” (Authentication Failure Reporting Format) defines the structure and method for sending forensic reports when individual email messages fail authentication. These reports, also called forensic or failure reports, provide detailed information about the specific message that failed SPF, DKIM, or DMARC checks, helping domain owners investigate issues more precisely.

Unlike aggregate reports (which summarize daily activity), AFRF reports are sent in real time and focus on single message failures. They follow the format outlined in RFC 6591 and RFC 5965, using MIME to encapsulate message samples and diagnostic data.

How DMARC AFRF Reports Work

To receive AFRF reports, a domain must specify a “ruf=” tag in its DMARC record:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:forensics@example.com; fo=1
 

Key tags:

  • ruf= - Defines where to send forensic reports
  • fo= - Specifies when to send a report (e.g., on SPF or DKIM failure)
  • afrf - The format used for the failure report

An AFRF message typically includes:

  • Authentication result details (SPF, DKIM, DMARC)
  • Header samples and message identifiers
  • Sending IP and envelope information
  • Failure type and policy action taken

Advantages of AFRF Reporting

AFRF reports give administrators granular visibility into real-time authentication problems, allowing for faster incident response. However, they can also expose message content, so many providers disable them for privacy reasons.

DMARC AFRF and DMARCeye

DMARCeye uses the latest AI-based technology and smart programming to analyze both aggregate and forensic DMARC reports, including those in AFRF format. The platform securely processes forensic data to help identify unauthorized use of your domain and investigate failures without exposing sensitive message content.

By combining AFRF data with aggregate reporting, DMARCeye delivers a comprehensive view of your domain’s authentication posture, enabling rapid detection and remediation of spoofing attempts. Get alerts in real time, together with recommended next steps, so you can keep your domain secure in a world where phishing and spoofing are on the rise.

Sign up for a free trial of DMARCeye today and secure your email domain.

To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.
D

Similar posts

Get notified on new marketing insights

Be the first to know about new insights to build or refine your DMARC policy strategy.