Once you’ve published DMARC records, DMARC data will typically begin to generate within a day or two in the form of reports that give you insight into the way your domains are handling email.
There are two forms of reports: RUA reports that provides an aggregate view of all of a domain’s traffic, and RUF reports that are redacted forensic copies of the individual emails that are not 100% compliant with DMARC. While RUA reports show the traffic of the email, RUF reports contain snippets from the actual emails themselves.
RUF data was originally intended to provide domain owners with redacted copies of email that failed DMARC compliance. Domain owners would then be able to identify legitimate email streams that need remediation. Due to privacy concerns involving partial or inadequate redaction, most DMARC report generators do not provide RUF reporting. Furthermore, domain owners in sensitive industries (healthcare, financials, governments) do not ask for RUF reporting to avoid any potential future liability due to partially redacted RUF reports.
In practice, RUF reporting was originally used to power specific threat intelligence activities due to the near real-time ability to extract malicious URLs. These malicious URLs could then be processed and fed to takedown services. Because RUF reporting is largely not provided by DMARC reporters, effective takedown intelligence based on RUF reporting must be augmented with specialized data feeds from the larger threat intelligence community.
In dmarcian’s experience, companies and organizations deploy DMARC to put in place controls to disallow unauthorized use of email domains. Once controls are in place, organizations move on to building and maintaining other controls and projects.
Do I need RUF reporting with dmarcian in order to achieve compliance?
No, dmarcian’s services have been developed to reach compliance goals without a need for reliance upon RUF reporting. Many receivers will not provide RUF reporting due to the potential personally identifiable information (PII) that the reports may contain. Since the dmarcian platform and deployment process is an advanced reporting and business process, any level of RUF dependency has been ameliorated.
How can I use the RUF data?
RUF data can be useful to gain an understanding into why some legitimate traffic is failing DMARC and to potentially see more detail on how messages abusing your domain are constructed. Because of the limited number of DMARC report generators that support RUF reporting, RUF data is best supplemented with other data streams (e.g., from capturing submissions to abuse@ mailboxes and/or investigating mail logs to trace the origination of email streams).
How does dmarcian report on RUF?
dmarcian accepts RUF reports for processing and displays RUF reports to our customers via the Forensic Viewer functionality.
RUA Reporting and DMARC compliance
RUA reporting is the only requirement for building and maintaining DMARC compliance.
dmarcian’s deployment process is a project-based approach that allows companies to build DMARC compliance into day to day operations. The inability for data-sensitive organizations to utilize RUF reporting (and the lack of RUF reporting by data-sensitive report generators) means dmarcian’s solution necessarily has to successfully operate only on RUA data.
dmarcian’s mission is to see DMARC adopted across the Internet, including by companies and countries that maintain strong data privacy requirements. dmarcian meets this mission by building and maintaining accurate and complete Source Identification (mail sent on behalf of a domain by third parties, such as a newsletter service provider) to power reporting and actions that build and maintain DMARC compliance across all domains.
RUF data can provide extra insights, but is not necessary. Potential insight gained by RUF data can be realized through other sources such as abuse@ mailboxes and through mail log analysis.