Configuring rua and ruf Tags in DMARC
Learn what rua and ruf mean in DMARC, how to configure aggregate and forensic reporting addresses, and when to use each tag safely.
Introduction
DMARC can send reports that help you understand who is sending email for your domain and whether those messages pass SPF, DKIM and DMARC alignment. The two main reporting tags are rua and ruf.
The rua tag is used for aggregate reports, which summarize authentication results over time. The ruf tag is used for forensic or failure reports, which may contain message-level details. Most domains should start with rua because aggregate reports are more commonly supported and safer to use.
Quick answer
rua tells receivers where to send DMARC aggregate reports. ruf tells receivers where to send forensic or failure reports. Most domains should configure rua first. Use ruf carefully because forensic reports are less commonly supported and may include sensitive message-level information.
rua and ruf
rua and ruf are DMARC reporting tags.
rua
Defines where aggregate reports should be sent.
ruf
Defines where forensic or failure reports should be sent.
v=DMARC1; p=none; rua=mailto:dmarc@example.com; ruf=mailto:dmarc-failures@example.com
The rua tag is the most important reporting tag for most domains. ruf is optional and should be used carefully.
rua explained
The rua tag defines the destination for DMARC aggregate reports. Aggregate reports summarize authentication results from receiving mail providers.
rua=mailto:dmarc@example.com
- Source IPs sending mail for your domain
- Message counts
- SPF results
- DKIM results
- DMARC results
- Policy applied
- Alignment results
Aggregate reports are often sent as compressed XML attachments. Many domains use a DMARC report parser or service to read them more easily.
ruf explained
The ruf tag defines the destination for forensic or failure reports. These reports may include more detailed information about individual messages that failed DMARC.
ruf=mailto:dmarc-failures@example.com
Forensic reports are less commonly supported than aggregate reports. Some receivers do not send them at all, and some may limit the data included.
Because forensic reports may contain message-level information, use ruf only when you understand the privacy and data-handling implications.
rua vs ruf
rua
- Report type: Aggregate reports
- Data level: Summary-level
- Format: Usually XML, often compressed
- Support: Common
- Best use: Monitoring senders and preparing enforcement
- Privacy risk: Lower
rua=mailto:dmarc@example.com
ruf
- Report type: Forensic/failure reports
- Data level: Message-level failure samples
- Format: Receiver-dependent
- Support: Less common
- Best use: Investigating specific failures
- Privacy risk: Higher
ruf=mailto:dmarc-failures@example.com
For most beginner and business setups, rua is enough to start.
Report syntax
DMARC report destinations usually use mailto: addresses.
v=DMARC1; p=none; rua=mailto:dmarc@example.com
v=DMARC1; p=none; rua=mailto:dmarc@example.com; ruf=mailto:dmarc-failures@example.com
v=DMARC1; p=none; rua=mailto:dmarc@example.com,mailto:reports@example.net
Use addresses you control or a reporting service you trust. Make sure the mailbox can receive attachments.
External reporting
If you send DMARC reports to an address outside the domain, some receivers require external reporting authorization.
Domain: example.com
DMARC record: v=DMARC1; p=none; rua=mailto:reports@dmarcservice.example.net
The external reporting domain may need to publish an authorization record that allows reports for example.com.
If reports are not arriving when using a third-party reporting service, check whether external report authorization is required and configured correctly.
Why this matters
rua and ruf matter because DMARC reports provide visibility. Without reporting, you may not know which systems are sending mail for your domain, which providers fail alignment, or whether unknown sources are attempting to spoof your domain.
Reporting is especially important before moving from p=none to quarantine or reject.
Common problems
No rua tag configured
MediumDMARC may work, but aggregate reports will not be requested.
Next step: Add a rua address or DMARC reporting service.
rua mailbox is not monitored
LowReports may arrive but no one reviews them.
Next step: Use a monitored mailbox or reporting platform.
Incorrect mailto syntax
MediumThe report destination may be invalid if mailto: is missing or malformed.
Next step: Use the correct format, such as rua=mailto:dmarc@example.com.
ruf used without understanding privacy risk
MediumForensic reports may contain message-level data depending on receiver behavior.
Next step: Remove ruf unless you intentionally need forensic reports.
External reporting not authorized
MediumReports to a third-party address may be blocked without external authorization.
Next step: Follow the reporting provider’s authorization instructions.
Reports not arriving
MediumNot all receivers send reports, or the mailbox/service may reject attachments.
Next step: Check rua syntax, mailbox limits, spam filtering and provider support.
Multiple DMARC records
HighMore than one DMARC record can prevent correct DMARC evaluation.
Next step: Merge settings into one _dmarc TXT record.
How to configure safely
-
Step 1: Start with rua
Configure aggregate reports first. This is the most useful and commonly supported reporting type.
-
Step 2: Choose a reporting destination
Use a mailbox or DMARC reporting service that can process XML reports.
-
Step 3: Use correct mailto syntax
Add the reporting address with mailto:, such as rua=mailto:dmarc@example.com.
-
Step 4: Be careful with ruf
Add ruf only if you intentionally need forensic reports and understand privacy implications.
-
Step 5: Check external authorization
If reports go to a third-party domain, follow that provider’s authorization requirements.
-
Step 6: Verify the record
Run DMARC Checker and confirm the record is valid.
-
Step 7: Monitor reports
Review reports regularly before changing DMARC enforcement.
Examples
v=DMARC1; p=none; rua=mailto:dmarc@example.com
v=DMARC1; p=none; rua=mailto:dmarc@example.com; ruf=mailto:dmarc-failures@example.com
v=DMARC1; p=none; rua=mailto:dmarc@example.com,mailto:reports@example.net
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com
dig _dmarc.example.com TXT
dig +short _dmarc.example.com TXT
These examples are illustrative. Use reporting addresses you control, or addresses provided by a trusted DMARC reporting service.
Should you use ruf?
Many domains do not need ruf at the beginning. Aggregate reports through rua are usually enough to identify sending sources, alignment failures and unknown traffic.
Use ruf only when:
- You understand the privacy implications
- You have a secure mailbox or service for failure reports
- You need message-level failure samples
- Your legal or security team approves the data handling
If unsure, start with rua only.
Frequently asked questions
What does rua mean in DMARC?
rua defines where aggregate DMARC reports should be sent.
What does ruf mean in DMARC?
ruf defines where forensic or failure reports should be sent.
Do I need both rua and ruf?
No. Most domains should start with rua. ruf is optional and should be used carefully.
Why are DMARC reports not arriving?
Possible reasons include invalid syntax, unmonitored mailbox, receiver not sending reports, external reporting authorization issues or mailbox filtering.
Can I send DMARC reports to a third-party service?
Yes, but some receivers require the third-party domain to authorize external reporting.
Are forensic reports risky?
They can be. Forensic reports may contain message-level data, so privacy and data handling should be considered.
Can I use multiple rua addresses?
Yes, but keep the record clean and make sure each destination is valid and intentionally configured.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Email Authentication guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!