The Difference in DMARC Reports: RUA and RUF
If you’re just getting started with your DMARC project, it’s important to understand the differences between the two associated report types—aggregate (RUA) and forensic (RUF). Once you’ve published DMARC records, DMARC data will typically begin to generate within a day or two in the form of these reports, which you configure to provide insight into the way your domains are handling email.
RUA reports provide a comprehensive view of all of a domain’s traffic; RUF reports are redacted copies of the individual emails that are not 100% compliant with DMARC. At a minimum, organizations should configure their DMARC record to receive RUA reports.
If you’re concerned with the type and sensitivity of data, this guide will detail things and lay out what you need to know regarding Personally Identifiable Information (PII).
What is a DMARC RUA Report?
Aggregate reports are the most important and contain information of the authentication status for SPF, DKIM, and DMARC.
An aggregate report doesn’t contain any sensitive information from the email itself; data is restricted to message counts and email authentication attributes. Nearly every domain owner registers to receive RUA reports; this is not the case with RUF reports.
RUA reports include the following information (marked in the example below):
- Date and time range of the report
- The domain
- The IP address that sent the message
- Whether SPF and DKIM have passed or failed
- The DMARC policy applied
- The domain associated with SPF and DKIM
How Does dmarcian Use RUA data?
dmarcian collects RUA reports, which are produced by reporters in XML format, and integrates them into our user-friendly DMARC Management Platform. Our platform specializes in processing these reports and provides actionable visibility that gives your organization information on DMARC compliance status (based on email source, DKIM and SPF). We alert you if there are any potential threats to or abuse on your domains.
At no time will dmarcian have access to mailboxes, full message bodies, attachments or other email elements that are considered sensitive.
What is a DMARC RUF Report?
RUF data was originally intended to provide domain owners with redacted copies of email that failed DMARC compliance. Domain owners can leverage the added details provided in forensic reports when attempting to identify the true origin of legitimate email streams that need remediation. Because of privacy concerns involving partial or inadequate redaction, most DMARC reporters do not provide RUF reporting. If you are a domain owner in a sensitive industry (healthcare, financials, government, education) you should give great consideration to the decision to enabling forensic reporting due to privacy concerns.
In practice, RUF reporting was initially used to power-specific threat intelligence activities because of the near real-time ability to extract malicious URLs. These malicious URLs could then be processed and fed to takedown services. Because RUF reporting is largely not provided by DMARC reporters, effective takedown intelligence based on RUF reporting must be augmented with specialized data feeds from the larger threat intelligence community.
Do I Need RUF Reporting with dmarcian to Achieve Compliance?
You don’t. dmarcian’s services have been developed to reach compliance goals without a need for reliance upon RUF reporting. Many receivers will not provide RUF reporting due to the potential personally identifiable information (PII) that reports may contain. Since the dmarcian platform and deployment process is an advanced reporting and business process, any level of RUF dependency has been ameliorated.
How Can I Use RUF Data?
RUF data can be useful to gain an understanding into why some legitimate traffic is failing DMARC and to potentially see more detail on how messages abusing your domain are constructed. Because of the limited number of DMARC report generators that support RUF reporting, RUF data is best supplemented with other data streams (e.g., from capturing submissions to abuse@ mailboxes and/or investigating mail logs to trace the origination of email streams).
How Does dmarcian Report on RUF?
dmarcian accepts RUF reports for processing and displays RUF reports to our customers via the Forensic Viewer functionality.
Reporting & Privacy
RUA reporting is the only requirement for building and maintaining DMARC compliance.
We’re Here to Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.