A DMARC Forensic Report (RUF) is a failure report sent by a receiving email server when an email fails DMARC.
When you publish DMARC record for your domain, you can begin receiving two types reports:
Aggregate Reports (RUA)
Forensics Reports (RUF)
The main difference between these is that Forensics Reports are far more detailed than Aggregate Reports and contain specific information about individual emails that fail DMARC authentication. They’re sent as soon as the authentication fails so you have immediate notice of anything going wrong. Forensics Reports are not as widely implemented by mailbox providers as Aggregate Reports, but can still be useful in determining exactly which emails are failing DMARC and why.
In order to start receiving Forensics Reports to your inbox, you need to modify your DMARC record to include an RUF and fo:
[put full dmarc record with ruf tag highlighted]
tag: ruf=mailto:example@somedomain.com
v=DMARC1; p=none; rua=mailto:example@rua.powerdmarc.com; ruf=mailto:example@ruf.powerdmarc.com; fo=0:1:d:s;
DMARC Forensic Reports occasionally contain information from the body of the email itself, potentially revealing some sensitive and private information. To mitigate this, PowerDMARC gives you the option to encrypt your RUF Reports with a private key.