What are RUA and RUF in DMARC?

    DMARC, or Domain-based Messaging Authentication, Reporting, and Conformance is an effective email authentication system that protects against phishing attacks and detects fraud. The protocol also offers domain insights and visibility using two reporting features: RUA and RUF. 

    You must understand these two reporting types if you’re just starting with DMARC. In this article, we explore what RUA and RUF tags are and why they’re crucial in DMARC implementation.

    What are DMARC Tags?

    Before we discuss DMARC tags, keep in mind that adding a DMARC record to your DNS is mandatory if you want to receive these reports. A DMARC record is a TXT record published in your DNS settings. 

    This record encompasses a list of DMARC tags separated by semicolons, which, among other things, give the receiving email server instructions on what to do with emails that fail DMARC authentication checks. 

    The tags in a DMARC record include v, p, ruf, rua, fo, and sp. Each tag is given a value that indicates a particular aspect of DMARC. When creating a DMARC record, you don’t need to include all the tags—only three are vital—rua, v, and p.

    • RUA – This tag indicates the URI of the email server that you nominate to receive DMARC aggregate reports. You need this if you want to receive feedback from receiving email servers. 
    • p –  This tag represents your chosen DMARC policy, which could be one of the following: none, quarantine, or reject. If you’re new to DMARC, starting at “p=none” is advisable to monitor the domain channel before moving on to the quarantine and finally, the reject policy. 
    • v –  This is the DMARC version, which is usually DMARC1.

    What is RUA or the DMARC Aggregate Report Tag?

    The RUA or Aggregate Report is the general report type that provides an overview of a domain’s email traffic. They’re the most vital report type and provide information about the status of DKIM, SPF, and DMARC authentication checks and the source that sent them. 

    Interestingly, this report doesn’t contain any sensitive info about the email. An RUA DMARC report includes the following details:

    • Whether the email passes the SPF and DKIM authentication checks.
    • The IP and email address of the sender. 
    • Header From domain.
    • The time range and date of the report.
    • The DMARC policy applied. 

    This feedback is incredibly valuable to any organization that uses email. But even if you don’t use a specific domain for email, setting up DMARC and receiving Aggregate Reports can still provide you with insights into phishing and domain spoofing attackers impersonating your domain—which could negatively affect your business reputation.

    How Does an RUA Tag Work?

    Receiving email servers send RUA reports regularly to all domains with a properly implemented DMARC policy. These reports contain aggregate statistics encrypted in XML format, which are sent to the email address(es) following the “mailto:” specified in the RUA tag of your DMARC record. 

    In other words, the RUA tag is used to specify one or more email addresses where you want to receive DMARC Aggregate Reports. 

    The RUA tag contains a comma-separated list of email addresses with the “mailto:” prefix which you want your DMARC Aggregate Reports sent to. Here’s a DMARC record example showing RUA tag usage:

    v=DMARC1; p=none; rua=mailto:[email protected]

    The XML reports might be difficult to analyze if you don’t have the technical knowledge to understand them. But with our DMARC Aggregate Report Analyzer, you can collect, filter, and sort the reports for easy analysis in a human-readable format. 

    The domain or email indicated in the RUA tag must be permitted to receive DMARC reports. Otherwise, receiving email servers won’t send reports. You can also allow an external domain to receive aggregate reports. This is called external domain verification.

    What is RUF or the DMARC Failure Report Tag?

    The RUF or DMARC Failure (or Forensic) Report tag was designed to inform domain administrators about emails that fail SPF, DKIM, and DMARC authentication checks. In an RUF report, you’ll find sensitive details about an email, including the header, subject, URLs, and attachments. 

    However, most organizations prefer not to request RUF reports due to privacy and compliance issues. The aim is to comply with privacy laws and prevent data breaches. 

    With the RUF report, domain owners can easily identify the source of the emails that need remediation. Aside from providing forensic information, RUF reports also play a vital role in helping organizations strengthen their security. Benefits include:

    • Detailed information regarding individual emails.
    • Instant reports allowing domain administrators to identify malicious activities and proffer immediate mitigation plans quickly. 
    • Detailed information about all connected Internet Protocol addresses to help you recognize unauthorized IPs. 
    • Instant reports about emails that fail DMARC authentication checks. 

    While RUF reports can be an effective email authentication insight, domain owners in sensitive industries like finance, healthcare, education, and government should think twice before enabling them.

    Still, DMARC Forensic Reports can help identify spoofing attacks, allowing you to further protect your domain. These reports are typically only sent when both SPF and DKIM authentication and alignment fail.

    How Does an RUF Tag Work?

    RUF or Forensic reports are sent when an email purporting to come from your domain fails DMARC authentication. When the SPF and DKIM alignment fails, the Internet Service Provider generates a forensic report, indicating an issue with a sending IP. 

    Like RUA reports, RUF reports are delivered to the “mailto:” address specified in the RUF tag of your DMARC record. These reports can give you insight into why some legitimate messages are failing, and you can also see how unauthorized IPs using your domain construct their messages. 

    The type of failure is reflected in the ‘fo’ tag, while the email address where you want to receive RUF reports are indicated in the ‘ruf’ tag, as follows:

    v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; sp=none; fo=0;

    Summary

    Bad actors can utilize reputable organization domains to send legitimate-looking emails to compromise sensitive information. With DMARC reports, you can instruct receiving email servers to send you aggregate and forensic reports using DMARC tags. The aim is to provide maximum email security protection. 

    While the RUF and RUA tags are optional, we recommend including them in your DMARC record. If you haven’t created your DMARC record, you can use our DMARC Record Generator to generate your record parameters. 

    It’s not enough to deploy the DMARC policy. You need to implement configuration correctly, which can be challenging. EasyDAMRC is ready to assist you and make your DMARC journey easy.