A Primer on DMARC Reporting: RUF and RUA
While researching how to implement DMARC, you’ve probably seen the acronyms of RUF and RUA, but didn’t get too great an explanation of how exactly they work, right? Well, we’ve got a quick read that covers the basics on what they are, what they provide and how they help you stay secure.
RUF and RUA sound like the names of a pair of barky dogs, and they kind of are (perhaps this was intentional from the designers?!). Dogs bark to alert you to problems, right? That’s exactly what RUF and RUA are for, with each one providing different kinds of alerts to help with your email security.
What are RUF and RUA?
RUF (Reporting URI for Forensics): Think of this as your email’s black box in case of emergency. RUF collects forensic reports providing exhaustive details about each email that fails DMARC authentication, capturing headers, IP addresses, and failure reasons. It’s meticulous and frequently overwhelming in the depth of information.
RUA (Reporting URI for Aggregate Data): This is the grand view of your domain’s email traffic from 10,000 feet. RUA gathers aggregate reports that summarize the results of DMARC authentication over time. It highlights trends, IP addresses used to send emails on your behalf, and the overall success or failure rates.
What do they do?
RUF (Forensic Reports): When messages fail DMARC authentication, RUF reports are generated. These are XML documents that include:
Original message headers
Source IP address
Authentication results (SPF and DKIM)
Why the message failed DMARC
Redacted email content to understand the context without compromising privacy
RUA (Aggregate Reports): RUA reports, also in XML format, provide daily summaries of your DMARC performance. They include:
Total number of emails passing/failing SPF and DKIM
Domain alignment (does the Return-Path header match the From header in SPF? Does the ‘d=’ tag match the From header in DKIM?)
Sending sources
Breakdown of behaviors on a per-domain basis
How do I interpret the reports?
Forensic (RUF) Reports: These can be quite verbose. Here’s how to decode the hieroglyphics:
Source IP: Locate where the email originated. Match it with known IP ranges of your services. Maybe there was a missing marketing mail service or occasionally used mail server that sends out email that got rejected for not being on the SPF list?
SPF/DKIM Results: Check if your SPF and DKIM records align with what’s expected.
Failure Reason: This is your clue to adjust your authentication settings or investigate potential spoofing.
Aggregate (RUA) Reports: Easier to digest but still packed with data.
Overall Stats: Gauge the health of your email authentication.
Alignment Rates: High failure rates mean you need to tweak your SPF/DKIM records or investigate unauthorized senders.
IP Sources: Identify legitimate and rogue sources, ensuring only authorized servers are sending on behalf of your domain.
Where do I send the reports?
RUF/RUA reports need to be sent somewhere to be read later and that ‘somewhere’ is going to be an email address! Both report-types should receive their own dedicated mailbox (do not use your own email administrator mailbox unless you want to never see other emails again, which hey, maybe some of you don’t; we get it) which will need at least an occasional logging into to parse through the data and take action upon the reports.
Our general recommendation is to review these mailboxes at least weekly while in the DMARC setup process, then about quarterly after DMARC is fully enforced.
RUF: This one needs a special mailbox. Set up an address that can manage the influx of detailed forensic reports. Preferably, use an email client with robust filtering and organization tools as there are going to be a LOT of these.
RUA: For aggregate reports, set up a designated mailbox and perhaps use an automation tool to parse and present the data in dashboards for easier review. Trust us, a nice graph beats sifting through XML. PowerBI or Tableau, anyone?
If using Tangent’s DMARC Director service, we’ll provide specialty mailboxes for you that will automatically read the reports and provide visualizations of the data for you, on top of us interpreting them and letting you know of any steps you should take.
How do I configure the reporting?
Great, you’ve got email addresses and nice meaty mailboxes set up to receive the RUF/RUA reports. Now how do I tell receiving mail servers to send records-of-failure to them?
You guessed it! It’s our ever-present friend: the Samwise Gamgee of the internet, the humble DNS record.
Create DNS Records: Add the email addresses to the DMARC policy in your DNS, specifying different addresses for the RUA and RUF (sample entry below; do not use):
"v=DMARC1; p=quarantine; rua=mailto:aggregate@yourdomain.com; ruf=mailto:forensics@yourdomain.com; fo=1"
Monitor and Adjust: Regularly check your inboxes (quarterly is great), parse through the reports, and adjust your SPF, DKIM and DMARC settings accordingly. This is the final step of configuring RUF/RUA and the only real “ongoing” one.
Be aware that the quantity of reports that are generated, particularly by RUF, can be pretty darn intimidating. If you find yourself wanting assistance on parsing these reports and letting you know what you should do, Tangent can help.
Interpreting DMARC RUF and RUA reports are like a bit like swimming a marathon in a sea of XML — daunting but ultimately rewarding when you emerge victorious. RUF and RUA are both here to help you, though they might come with a steep learning curve.
With that all said, feel like you’ve got a good handle on RUA/RUF but want a second opinion? Want to go deeper into the reports with more technical information? Or maybe you want an automated service to interpret these reports for you into straightforward visualizations and quickly actionable steps?
For any or all of the above, let us know. We’ve got all the solutions available.