When you publish DMARC record for your domain, you can begin receiving two types of reports, Aggregate Reports (RUA) and Forensic Reports (RUF).
The main difference between these is that Forensics Reports are far more detailed than Aggregate Reports and contain specific information about individual emails that fail DMARC authentication. They're sent as soon as the authentications fails so you have immediate notice of anything going wrong. Forensics Reports are not as widely implemented by mailbox providers as Aggregate Reports but can still be useful in determining exactly which emails are failing DMARC and why.
What are DMARC Failure/Forensic Reports RUF?
DMARC Failure forensic reports are generated when outgoing emails sent from your domain do not align with SPF or DKIM, thereby failing DMARC authentication on your receiver's end. DMARC forensic reports are thereby important to analyze and detect domain spoofing activities and attempts at brand impersonation by fraudsters.
When are DMARC Forensic Reports generated?
If you have DMARC monitoring and reporting enable for your domain, a DMARC forensic report will be sent whenever your email fail DMARC authentication on your receiver's end. It usually highlights a forensic incident such as an unauthorized IP trying to spoof your domain.
Why haven't I received any DMARC Forensic Reports?
If you haven't received any DMARC forensic reports it can be because not all receivers support DMARC forensic reports. However, if you have it enabled for your domain and still have not received any reports, it just means that all your outbound emails have been DMARC authenticated and approved and have been 100% DMARC compliant (successfully aligned against SPF/DKIM). Your domain has been safe from spoofing activities so far, so as not to trigger any forensic incident.
Overview of Forensic Reports View
In the DMARC forensic reports, you can filter results for a specific domain, by date range and subject of the forensic incident, and even search results for a particular hostname or IP of your choice.
/msdyn_blobfile/$value)
The DMARC forensic reports on the DMARCDirector platform are sorted into tables with two columns: Subject and Count. Subject stands for the subject line of the email for which the forensic incident was triggered for a particular sending source or IP address, and the county is the number of emails sent from this source on behalf of your domain that failed DMARC authentication on your receivers' end.
/msdyn_blobfile/$value)
Each of these rows can be cascaded, to reveal the IP address of the email sender, to view the header details.
What are Feedback Headers?
Feedback headers are the headers of the email containing the forensic feedback reported by the mail receiver.
What are Mail Headers?
Email headers contain important information about the origin and path an email took before arriving at its final destination, including the sender's IP address, email client, and even location. The information could be used to block future emails from the sender (in the case of spam) or to determine the legitimacy of a suspicious email.
Note: In DMARC Forensic reports your feedback headers and mail headers can be encrypted using the PGP encryption feature.
How do I export these reports as CSV?
On the DMARCDirector platform, you can directly download your DMARC forensic reports as a CSV file.
/msdyn_blobfile/$value)
After downloading the CSV file you can view your forensic incident information in detail, as shown below:
/msdyn_blobfile/$value)
The main difference between these is that Forensics Reports are far more detailed than Aggregate Reports and contain specific information about individual emails that fail DMARC authentication. They're sent as soon as the authentications fails so you have immediate notice of anything going wrong. Forensics Reports are not as widely implemented by mailbox providers as Aggregate Reports but can still be useful in determining exactly which emails are failing DMARC and why.
What are DMARC Failure/Forensic Reports RUF?
DMARC Failure forensic reports are generated when outgoing emails sent from your domain do not align with SPF or DKIM, thereby failing DMARC authentication on your receiver's end. DMARC forensic reports are thereby important to analyze and detect domain spoofing activities and attempts at brand impersonation by fraudsters.
When are DMARC Forensic Reports generated?
If you have DMARC monitoring and reporting enable for your domain, a DMARC forensic report will be sent whenever your email fail DMARC authentication on your receiver's end. It usually highlights a forensic incident such as an unauthorized IP trying to spoof your domain.
Why haven't I received any DMARC Forensic Reports?
If you haven't received any DMARC forensic reports it can be because not all receivers support DMARC forensic reports. However, if you have it enabled for your domain and still have not received any reports, it just means that all your outbound emails have been DMARC authenticated and approved and have been 100% DMARC compliant (successfully aligned against SPF/DKIM). Your domain has been safe from spoofing activities so far, so as not to trigger any forensic incident.
Overview of Forensic Reports View
In the DMARC forensic reports, you can filter results for a specific domain, by date range and subject of the forensic incident, and even search results for a particular hostname or IP of your choice.
The DMARC forensic reports on the DMARCDirector platform are sorted into tables with two columns: Subject and Count. Subject stands for the subject line of the email for which the forensic incident was triggered for a particular sending source or IP address, and the county is the number of emails sent from this source on behalf of your domain that failed DMARC authentication on your receivers' end.
Each of these rows can be cascaded, to reveal the IP address of the email sender, to view the header details.
What are Feedback Headers?
Feedback headers are the headers of the email containing the forensic feedback reported by the mail receiver.
What are Mail Headers?
Email headers contain important information about the origin and path an email took before arriving at its final destination, including the sender's IP address, email client, and even location. The information could be used to block future emails from the sender (in the case of spam) or to determine the legitimacy of a suspicious email.
Note: In DMARC Forensic reports your feedback headers and mail headers can be encrypted using the PGP encryption feature.
How do I export these reports as CSV?
On the DMARCDirector platform, you can directly download your DMARC forensic reports as a CSV file.
After downloading the CSV file you can view your forensic incident information in detail, as shown below: