Forensic (RUF) reporting was once widely used for email troubleshooting, but privacy concerns have now marginalized its use. With over seven years of email ecosystem experience, dmarcian Deployment Consultant Mohammed Zaman talks about what he sees as the rise and fall of forensic reporting and what the future may hold for it.

When did you first come across email reporting?

I first came across email reporting back in 2014 when I began working in the email ecosystem. I learned that there are basically two types of DMARC reporting—the aggregate (RUA) where you see high-level information such as SPF passing or failing, DKIM passing or failing, and the domains. The forensic reporting (RUF), on the other hand, contains header information and sometimes content including personal information and full email addresses. 

Originally, the forensic reporting was very useful when it came to troubleshooting sources and third-party senders. It was handy to have the forensic report so you could pinpoint where SPF was failing, for example. Forensic reporting was pretty vigorous in the information that it provided; today, when most clients ask what you can do with it, the basic answer is, “not much.”

Why the decline in forensic reporting?

I started to notice the decline in RUF around late 2015 and early 2016. It was motivated by privacy concerns that were becoming more and more at the forefront of people’s minds. Conversations around how personal data was shared and where data was stored became more common. Everyone in the industry became more privacy-conscious; those concerns continue at a feverish pace as organizations tighten privacy standards after data breaches or bad press.

Google, the biggest email platform out there, doesn’t send them and Hotmail has discontinued RUF. I jokingly tell clients that the only usefulness of RUF reports is that you can find out who is using their business email address for Linkedin activity. LinkedIn probably sends the majority of the forensic RUF reporting these days. 

Do you currently see or use forensic reports?

I do still see RUF reporting being used. I recently was troubleshooting with a client and was able to obtain an RUF report from a European ISP, but even then it was heavily redacted. It contained some minimal header information with all personal data redacted.

How has your job changed with forensic reporting falling away?

The biggest challenge with RUF falling off is troubleshooting when something goes wrong. In the past, you could just look at the RUF report and tell where the issue was. Now, relying just on the aggregate (RUA) report, I have to go to the client for more specific answers, such as sending specific headers.  

Sometimes you come up with creative approaches while working towards a solution. Working with clients, I’ll have them send me a test email from the platform that we are attempting to fix authentication for. That way, I have a direct email from them and I can look at the header information that I would have had access to via the forensic reporting.

What do you think the future is for forensic reporting?

I think forensic reporting should make a comeback in a form that complies with regulations and better addresses privacy concerns. At the moment, the information DMARC reporters provide in the RUF seems to be inconsistent. Some, for example, just include headers. Others send the headers, the HTML and everything in-between.

It would be good to get the community together to further define RUF guidelines that respect growing privacy concerns and still take advantage of the useful forensic information that is available. Perhaps that looks like having a heavily-redacted RUF report?

I don’t know if it is going to take a push from the email community to encourage DMARC reporters or if improving the DMARC standard in some way is the answer. I honestly don’t know if there are any advocates in the community to evolve forensic reporting, so RUF may eventually fall away.

Want to continue the conversation? Head over to the dmarcian Forum