Where are the Forensic/Failure reports?
People often configure their DMARC records and use the “RUF” tag to ask for Forensic/Failure reports. However, they’re often slow to arrive. If you just added the RUF tag to your DMARC record, be aware that it might take up to 24 hours for your change to be picked up by the larger Internet. If you’re still not seeing Forensic reports, there are a few other things to note.
There are three primary reasons why report generators do not send them:
- Privacy concerns: Even though the reports can be redacted, some report generators do not send them simply to avoid any issue related to privacy. That is, the individual Forensic/Failure reports can contain Personally Identifiable Information (PII), and some major email receivers are incredibly sensitive to any potential privacy-related issues.
- Volume: Generating Forensic/Failure reports can result in the generation of a huge amount of email… one inbound email can cause one Forensic/Failure report to be generated. If a system is the target of a botnet-based attack, it might end up generating hundreds of thousands or even millions of Forensic/Failure reports. This ends up utilizing real resources.
- Not Required: Organizations have demonstrated an ability to deploy DMARC without having access to Forensic/Failure reports. In fact, some organizations do not even ask for Forensic/Failure reports due to privacy concerns. If they’re not enabled, there is no chance of accidentally introducing privacy-based liability.
Today, Forensic/Failure reports mainly come from NetEase, LinkedIn, and a few smaller sites. Therefore, if someone spoofs your domain in emails that are delivered to any of these receivers, you’ll get Forensic/Failure reports. If the spoofing is flowing into environments such as Google, Yahoo, or Microsoft, you won’t get any insight from Forensic/Failure reports as those entities and many others do not generate them.
There is talk of creating a form of Forensic/Failure report that is less prone to privacy concerns. However, security companies want less redaction so that they’ll have more data to power their solutions, whereas DMARC deployers can get their work done without Forensic/Failure reports. Therefore the work creating privacy-sensitive Forensic/Failure reports hasn’t moved beyond just talk.