A forensic report unlike aggregate report is essentially a copy of the email that failed DMARC validation and is typically sent immediately after the failure. Any personally identifiable information is removed from the email but information that may help in troubleshooting the DMARC failure should be included ie. any SPF and DKIM failures. 

The receiver for the failure reports is specified by the “ruf” tag in your DMARC record. 

For example: ruf=mailto:[email protected] 

You can also specify the type of failures you would like to receive forensics for by using the “fo” tag in your DMARC record. By default, failure reports are sent when both SPF and DKIM fail.

NOTE: Not all receivers support sending forensic reports back to the sender. It is therefore normal not to see or see very little forensic reports. 

For more information on the various DMARC tags and their meaning please click on the button below. 

For more information on how OnDMARC redacts information found in forensic reports please click on the button below.

Click the button below for more information on how to search a forensic report.

To learn more about the Aggregate Reports please click on the button below.


If you would like to learn more about how onDMARC reports work you can book a demo using the button below.

Did this answer your question?