Forensic Reports (RUF)

Forensic reports provide message-level detail about individual emails that failed DMARC authentication. Unlike aggregate reports (which give daily summaries), forensic reports show you exactly what happened with specific messages.

Pro+ Feature

Forensic report analysis is available on Pro, Business, and Enterprise plans.

What Forensic Reports Contain

  • Email headers — From, To, Subject, Date (with privacy redaction)
  • Authentication results — SPF, DKIM, and DMARC pass/fail details
  • Sender IP — The IP address that sent the message
  • Failure reason — Why authentication failed (misaligned domain, invalid DKIM signature, etc.)
  • Disposition — What action the receiving server took

Viewing Forensic Reports

Navigate to Threat Intelligence → Forensic Reports (RUF). Filter by:

  • Date range
  • Failure reason (SPF, DKIM, alignment)
  • Source IP address
  • Domain

Investigating Failures

Click any report to see the full details. Use forensic data to:

  • Identify the source of spoofing attempts
  • Debug authentication problems with legitimate senders
  • Build evidence for security incident reports

Receiving Forensic Reports

Your DMARC record must include the ruf tag to receive forensic reports:

v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

The fo=1 tag requests forensic reports for any authentication failure (not just DMARC failures).

Note

Not all mail servers send forensic reports. Google, for example, does not send RUF reports. Microsoft and Yahoo do send them for some failures.

Your domain is being tested right now.
Are you watching?

Protect your brand and improve deliverability — automatically, with continuous monitoring and alerts.

Start Free — No Credit Card View Pricing →