ARF / Forensic Report Checker
Validate your DMARC forensic reporting — check ruf= destinations, external authorization, failure options, and provider compatibility.
What are DMARC Forensic Reports (ARF)?
DMARC forensic reports (also called failure reports) are detailed, per-message reports sent when an email fails DMARC authentication. Unlike aggregate reports (rua=) that provide daily statistical summaries, forensic reports (ruf=) contain information about individual failures, helping you identify and debug specific authentication problems. They use the Abuse Reporting Format (ARF) defined in RFC 5965.
Forensic vs. Aggregate Reports
| Feature | Aggregate (rua=) | Forensic (ruf=) |
|---|---|---|
| Frequency | Daily summary | Per-message (real-time) |
| Content | Statistical counts | Individual message details |
| Format | XML | ARF (RFC 5965) |
| Privacy impact | Low (aggregated data) | High (may contain headers/body) |
| Provider support | Widely supported | Limited (privacy concerns) |
The ruf= Tag and fo= Options
The ruf= tag in your DMARC record specifies where forensic reports should be sent (e.g., ruf=mailto:[email protected]). The fo= tag controls when reports are generated:
| fo= Value | Meaning |
|---|---|
0 (default) | Generate report when all mechanisms fail |
1 (recommended) | Generate report when any mechanism fails |
d | Generate report on DKIM failure |
s | Generate report on SPF failure |
External Destination Authorization
When your ruf= destination is at a different domain (e.g., ruf=mailto:[email protected]), RFC 7489 Section 7.1 requires an authorization record. The receiving domain must publish a TXT record at yourdomain._report._dmarc.monitoring.com containing v=DMARC1 to confirm it accepts reports for your domain.
Privacy Limitations
Most major mailbox providers — including Gmail, Yahoo, and Outlook — limit or suppress forensic reports due to privacy concerns. These reports can contain email headers and partial message content, which raises GDPR and privacy issues. When configuring forensic reporting, expect limited coverage from consumer providers. Enterprise gateways and smaller providers are more likely to send forensic reports.
Read the complete ARF guide to learn more.
Get the full picture with DMARCguard
Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.
Start Free