What is a DMARC Failure Report?

DMARC protocol enables you to receive 2 types of reports: Aggregate reports and Failure reports. DMARC Failure Reports are formerly known as Forensic Reports and they are much more detailed than DMARC Aggregate reports because they provide a sample of an email message that failed DMARC, DKIM, and SPF tests.

When an SPF or DKIM does not align with DMARC the ISP will send a failure report immediately if an ISP supports it. Currently Major ISP’s like Google, Verizon, and Comcast do not support them.



This results in failing messages not generating reports even after configuring your DMARC record to accept failure reports. This is why a noticeable difference can be seen between DMARC Aggregate reports and Failure reports.

How to read a DMARC Failure Report?

In a typical DMARC failure report, one would find the following fields: 

  • Email address of the recipient: the email to which the original message was for
  • SPF and DKIM authentication results 
  • Time of reception 
  • DKIM signature 
  • Host 
  • Subject of email 
  • Message ID of the email 
  • Other headers such as custom headers ect.

Here is an example of a DMARC Failure reporting.

dmarc failure report example

DMARC Failure Reporting Options(fo)

The four DMARC failure reporting options can be sent with the “fo” tag:

fo=0: If both SPF and DKIM fail to align it generates a failure report. 

fo=1: If either SPF or DKIM produced something other than aligned it generates a failure report.

fo=d: if the signature fails, regardless of the alignment it’ll generate a DKIM failure report.

fo=s: if the SPF fails even if it’s not alignment it generates an SPF failure report.

The Pros:

  1. They contain more data than aggregate reports like Subject of the email, IP information, date of receiving the message, message ID, URLs & delivery result.
  2. They are received immediately. 

The Cons:

  1. They have a high false-positive rate.
  2. Most ISPs have dropped support for failure reports.
  3. They potentially expose sensitive data.


DMARC Aggregate Reports VS DMARC Failure Reports

As mentioned above, DMARC supports two types of reports: Aggregate and Failure reports. 

These two have many differences and serve distinctive purposes

When comparing the two, here are some of the visible differences: 

Aggregate reports 

Failure reports

To receive reports, rua tag must be set up  To receive reports, ruf tag must be set up 
Provides aggregate data on a group of emails Provides details of a single email
Not real-time, by default they are sent everyday Sent immediately after failures 
XML format Plain text 
Don’t contain PII (personally identifiable information) Contain PII
Supported in all DMARC-compliant mailbox providers Supported only in some of the mailbox providers 



Unlike DMARC Aggregate reports the DMARC failure reports were an unsuccessful part of the DMARC standard. The former reports the DMARC failure in a more comprehensive manner. It includes all the information necessary to enforce DMARC without the risks that DMARC Failure reports have.

How to Prevent Data Breaches?

How to Prevent Data Breaches?

If you run a company that relies on the internet to operate you must...

Read More
Reputational Cost of a Data Breach

Reputational Cost of a Data Breach

When the internet was created, security wasn't the main focus in any corner of...

Read More
What Should a Company Do After a Data Breach?

What Should a Company Do After a Data Breach?

No company is 100% immune to data leaks. Cyberattackers are constantly improving their methods,...

Read More