DMARC Failure Reports (Forensic Reports) Explained.

DMARC Failure Reports Forensic Reports

What is a DMARC Failure Report?

DMARC failure reports are generated and sent almost immediately by the mailbox provider after an email fails DMARC authentication. It provides detailed information about the email message so that the domain administrator can use it to investigate into what caused the email to fail authentication and track down the sender.

DMARC failure reports were previously known as DMARC forensic reports.

How to Read a DMARC Failure Report?

The fields are present in a typical DMARC failure report:

  • recipient email address: the email address the original message was intended for;
  • authentication results: both SPF and DKIM;
  • received time;
  • DKIM signature;
  • host that sent the email;
  • email subject;
  • email message ID;
  • other email headers, including custom headers.

Here is an example DMARC failure report:

How to Receive DMARC Failure Reports?

In order to receive DMARC failure reports, you need to set up the ruf tag in your DMARC record.

Check out this post on the details: How to Receive DMARC Reports.

DMARC Aggregate Reports VS DMARC Failure Reports

DMARC aggregate reports and DMARC failure reports are the two types of reports supported in DMARC. They serve different purposes and differ in multiple aspects.

Here is a side-by-side comparison of DMARC aggregate reports and DMARC failure reports:

  • an aggregate report provides aggregate data on a group of emails, while a failure report provides details of an individual email;
  • to receive aggregate reports, set up the rua tag; to receive failure reports, set up the ruf tag;
  • aggregate reports are not real-time: they are sent everyday by default; failure reports are sent almost immediately after the failures;
  • aggregate reports are in XML format, while failure reports are in plain text;
  • aggregate reports don't contain personally identifiable information (PII) like recipient email address; failure reports do contain PII;
  • aggregate reports are supported in all DMARC-compliant mailbox providers, while failure reports are supported in only a handful of mailbox providers.

Previous Post Next Post

 Protect Business Email & Improve Email Deliverability

Get a 14 day trial. No credit card required.

Create Account