Configuring rua and ruf Tags in DMARC

Learn what rua and ruf mean in DMARC, how to configure aggregate and forensic reporting addresses, and when to use each tag safely.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 7 min read Beginner

Introduction

DMARC can send reports that help you understand who is sending email for your domain and whether those messages pass SPF, DKIM and DMARC alignment. The two main reporting tags are rua and ruf.

The rua tag is used for aggregate reports, which summarize authentication results over time. The ruf tag is used for forensic or failure reports, which may contain message-level details. Most domains should start with rua because aggregate reports are more commonly supported and safer to use.

Quick answer

Quick answer

rua tells receivers where to send DMARC aggregate reports. ruf tells receivers where to send forensic or failure reports. Most domains should configure rua first. Use ruf carefully because forensic reports are less commonly supported and may include sensitive message-level information.

rua and ruf

rua and ruf are DMARC reporting tags.

rua

Defines where aggregate reports should be sent.

ruf

Defines where forensic or failure reports should be sent.

Example
v=DMARC1; p=none; rua=mailto:dmarc@example.com; ruf=mailto:dmarc-failures@example.com

The rua tag is the most important reporting tag for most domains. ruf is optional and should be used carefully.

rua explained

The rua tag defines the destination for DMARC aggregate reports. Aggregate reports summarize authentication results from receiving mail providers.

Example
rua=mailto:dmarc@example.com
  • Source IPs sending mail for your domain
  • Message counts
  • SPF results
  • DKIM results
  • DMARC results
  • Policy applied
  • Alignment results

Aggregate reports are often sent as compressed XML attachments. Many domains use a DMARC report parser or service to read them more easily.

ruf explained

The ruf tag defines the destination for forensic or failure reports. These reports may include more detailed information about individual messages that failed DMARC.

Example
ruf=mailto:dmarc-failures@example.com

Forensic reports are less commonly supported than aggregate reports. Some receivers do not send them at all, and some may limit the data included.

Because forensic reports may contain message-level information, use ruf only when you understand the privacy and data-handling implications.

rua vs ruf

rua

  • Report type: Aggregate reports
  • Data level: Summary-level
  • Format: Usually XML, often compressed
  • Support: Common
  • Best use: Monitoring senders and preparing enforcement
  • Privacy risk: Lower

rua=mailto:dmarc@example.com

ruf

  • Report type: Forensic/failure reports
  • Data level: Message-level failure samples
  • Format: Receiver-dependent
  • Support: Less common
  • Best use: Investigating specific failures
  • Privacy risk: Higher

ruf=mailto:dmarc-failures@example.com

For most beginner and business setups, rua is enough to start.

Report syntax

DMARC report destinations usually use mailto: addresses.

Aggregate reports only
v=DMARC1; p=none; rua=mailto:dmarc@example.com
Aggregate and forensic reports
v=DMARC1; p=none; rua=mailto:dmarc@example.com; ruf=mailto:dmarc-failures@example.com
Multiple rua destinations
v=DMARC1; p=none; rua=mailto:dmarc@example.com,mailto:reports@example.net

Use addresses you control or a reporting service you trust. Make sure the mailbox can receive attachments.

External reporting

If you send DMARC reports to an address outside the domain, some receivers require external reporting authorization.

Example
Domain: example.com
DMARC record: v=DMARC1; p=none; rua=mailto:reports@dmarcservice.example.net

The external reporting domain may need to publish an authorization record that allows reports for example.com.

If reports are not arriving when using a third-party reporting service, check whether external report authorization is required and configured correctly.

Why this matters

Why this matters

rua and ruf matter because DMARC reports provide visibility. Without reporting, you may not know which systems are sending mail for your domain, which providers fail alignment, or whether unknown sources are attempting to spoof your domain.

Reporting is especially important before moving from p=none to quarantine or reject.

How to check tags

Use DMARC Checker to inspect your DMARC record and confirm whether reporting tags are configured correctly.

When checking rua and ruf, review

These six checks help confirm reporting tags are set up correctly.

DMARC record location

The record should be published at _dmarc.yourdomain.com.

rua address

Confirm aggregate reporting is configured.

ruf address

Confirm forensic reporting is intentional, not accidentally copied.

mailto syntax

Reporting addresses should use the correct mailto: format.

External report authorization

Check third-party reporting service requirements.

Mailbox readiness

Make sure the reporting mailbox or service can receive reports.

Check DMARC reporting tags

Use DMARC Checker to verify your rua, ruf and reporting configuration.

Run DMARC Check →

Common problems

No rua tag configured

Medium

DMARC may work, but aggregate reports will not be requested.

Next step: Add a rua address or DMARC reporting service.

rua mailbox is not monitored

Low

Reports may arrive but no one reviews them.

Next step: Use a monitored mailbox or reporting platform.

Incorrect mailto syntax

Medium

The report destination may be invalid if mailto: is missing or malformed.

Next step: Use the correct format, such as rua=mailto:dmarc@example.com.

ruf used without understanding privacy risk

Medium

Forensic reports may contain message-level data depending on receiver behavior.

Next step: Remove ruf unless you intentionally need forensic reports.

External reporting not authorized

Medium

Reports to a third-party address may be blocked without external authorization.

Next step: Follow the reporting provider’s authorization instructions.

Reports not arriving

Medium

Not all receivers send reports, or the mailbox/service may reject attachments.

Next step: Check rua syntax, mailbox limits, spam filtering and provider support.

Multiple DMARC records

High

More than one DMARC record can prevent correct DMARC evaluation.

Next step: Merge settings into one _dmarc TXT record.

How to configure safely

  1. Step 1: Start with rua

    Configure aggregate reports first. This is the most useful and commonly supported reporting type.

  2. Step 2: Choose a reporting destination

    Use a mailbox or DMARC reporting service that can process XML reports.

  3. Step 3: Use correct mailto syntax

    Add the reporting address with mailto:, such as rua=mailto:dmarc@example.com.

  4. Step 4: Be careful with ruf

    Add ruf only if you intentionally need forensic reports and understand privacy implications.

  5. Step 5: Check external authorization

    If reports go to a third-party domain, follow that provider’s authorization requirements.

  6. Step 6: Verify the record

    Run DMARC Checker and confirm the record is valid.

  7. Step 7: Monitor reports

    Review reports regularly before changing DMARC enforcement.

Examples

Aggregate reports only
v=DMARC1; p=none; rua=mailto:dmarc@example.com
Aggregate and forensic reports
v=DMARC1; p=none; rua=mailto:dmarc@example.com; ruf=mailto:dmarc-failures@example.com
Multiple aggregate destinations
v=DMARC1; p=none; rua=mailto:dmarc@example.com,mailto:reports@example.net
With quarantine policy
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com
Check commands
dig _dmarc.example.com TXT
dig +short _dmarc.example.com TXT

These examples are illustrative. Use reporting addresses you control, or addresses provided by a trusted DMARC reporting service.

Should you use ruf?

Many domains do not need ruf at the beginning. Aggregate reports through rua are usually enough to identify sending sources, alignment failures and unknown traffic.

Use ruf only when:

  • You understand the privacy implications
  • You have a secure mailbox or service for failure reports
  • You need message-level failure samples
  • Your legal or security team approves the data handling

If unsure, start with rua only.

Frequently asked questions

What does rua mean in DMARC?

rua defines where aggregate DMARC reports should be sent.

What does ruf mean in DMARC?

ruf defines where forensic or failure reports should be sent.

Do I need both rua and ruf?

No. Most domains should start with rua. ruf is optional and should be used carefully.

Why are DMARC reports not arriving?

Possible reasons include invalid syntax, unmonitored mailbox, receiver not sending reports, external reporting authorization issues or mailbox filtering.

Can I send DMARC reports to a third-party service?

Yes, but some receivers require the third-party domain to authorize external reporting.

Are forensic reports risky?

They can be. Forensic reports may contain message-level data, so privacy and data handling should be considered.

Can I use multiple rua addresses?

Yes, but keep the record clean and make sure each destination is valid and intentionally configured.

Use these free tools to verify your configuration after applying changes.

Browse all Email Authentication guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.