How to Read DMARC Forensic Reports

DMARC forensic reports (also called failure reports or RUF reports) are detailed notifications that mailbox providers send when an individual message fails DMARC authentication.

Unlike aggregate reports, which summarize thousands of messages per day, forensic reports focus on a single message and include:

• The sender’s IP address and envelope-from domain
• The DKIM and SPF results for that message
• The DMARC alignment outcome
• Portions of the original message header (sometimes even the subject line)

To learn how to read aggregate reports rather than forensic reports, see our full guide to reading DMARC aggregate reports.

Forensic reports are sent in real time to the email address specified in your DMARC record’s ruf tag, for example:

Because they can include sensitive message data, not every provider sends them, but those that do offer valuable clues when something goes wrong.

How Forensic Reports Differ from Aggregate Reports

Here’s how forensic reports compare to aggregate (RUA) reports:

You need both types of reports to get a complete picture of your domain’s email authentication health.

Why Forensic Reports Are Useful

Forensic reports are your early warning system. They help you:

• Spot spoofing attempts quickly when unauthorized servers try to use your domain.
• Diagnose configuration issues, such as DKIM keys not aligning or SPF entries missing.
• Validate DMARC enforcement by confirming which messages were rejected or quarantined.
• Document evidence of abuse if you ever need to report phishing or impersonation.

For organizations rolling out DMARC, these reports often reveal overlooked senders or systems that fail authentication before legitimate messages start getting blocked.

For a full overview and roadmap of DMARC set up and implementation, see our DMARC monitoring and compliance guide.

How to Enable DMARC Forensic Reports

If you want to start receiving forensic reports, you need to add the ruf tag to your DMARC record.

Example:

Let’s break this down:

• ruf= - The address where forensic reports should be sent.
• fo= - The failure reporting options. Common values include:
  • fo=0 - Report if both SPF and DKIM fail (default).
  • fo=1 - Report if either SPF or DKIM fails.
  • fo=d - Report DKIM failures only.
  • fo=s - Report SPF failures only.

If you’re testing your setup, fo=1 is a good starting point; it ensures you get detailed visibility while you fine-tune authentication.

Tip: Always use a dedicated mailbox for forensic reports. They can arrive in large numbers, and some may contain sensitive data.

How to Read a DMARC Forensic Report

Most forensic reports are sent as plain-text attachments in the Abuse Feedback Reporting Format (AFRF). Here’s what to look for.

1. Authentication Results

The top section usually shows SPF, DKIM, and DMARC results. Example:

This tells you:

• The message came from spammer.com, not your legitimate sender.
• DKIM wasn’t signed.
• DMARC failed, and the policy instructed rejection.

2. Source IP and From Domain

Next, identify where the message came from and which domain it claimed to represent:

If the IP doesn’t belong to a legitimate service or vendor, it’s likely a spoof attempt.

3. Message Identifiers

Look for message IDs, envelope-from, and header-from fields. They help trace the source or misconfiguration:

This shows that SPF and DKIM alignment failed. This is a common issue when third-party tools send email on your behalf.

4. Sample Message Data

Some forensic reports include a fragment of the original message or header for analysis. While useful for investigation, be cautious, because these can contain personally identifiable information.

Handling and Analyzing Forensic Reports

Once you start receiving reports, you can handle them in two ways:

Manual Review

• Open reports in your email client or a text editor.
• Search for repeated IPs or domains that fail authentication.
• Cross-check against your known mail systems.

Automated Analysis

• Use a DMARC monitoring tool like DMARCeye to automatically collect and visualize forensic data.
• Correlate forensic failures with your aggregate reports to see patterns over time.

Manual review is fine for small volumes, but once you reach multiple domains or heavy traffic, automation becomes essential.

Privacy and Limitations

Some mailbox providers don’t send forensic reports at all due to privacy concerns. Gmail, for instance, no longer provides them.

Even when available, the reports are not guaranteed for every failed message; they’re best treated as supplemental, not comprehensive.

That said, when you do receive them, they’re among the most actionable signals for identifying active spoofing or misconfigurations.

How DMARCeye Simplifies Forensic Report Monitoring

Forensic reports can arrive from dozens of providers in different formats — and managing them manually can get messy fast.

DMARCeye simplifies this by automatically collecting and organizing both aggregate and forensic reports across all your domains.

With DMARCeye, you can:

• View all failed message sources in one unified dashboard.
• Identify recurring unauthorized IPs or spoofing attempts.
• See which legitimate senders are failing authentication and need configuration fixes.
• Track your overall authentication health in real time.

Instead of sorting through raw XML or text files, you get a clear, actionable view of what’s happening with your domain, so you can respond quickly and confidently.

Get a free trial of DMARCeye today and start protecting your email domain.