All Collections
Learn about DMARC
What is a DMARC Forensic Report?
What is a DMARC Forensic Report?

A Forensic Report is a second type of report that the DMARC protocol enables you to receive.

Ivan Kovachev avatar
Written by Ivan Kovachev
Updated over a week ago

A Forensic DMARC Report, unlike Aggregate DMARC Report is essentially a copy of the email that failed DMARC validation on the receivers side. It is typically sent immediately after the failure has occurred.

Any personally identifiable information (PII) is removed from the report, but information that will help in troubleshooting the DMARC failure is contained eg. SPF and DKIM header failure information, the entire From address and Subject of the email too.

The address to receive the Forensic DMARC reports is specified by the “ruf” tag in your DMARC record. 

For example: ruf=mailto:[email protected] 

You can also specify the type of failures you would like to reports for by using the “fo” tag in your DMARC record. By default, failure reports are sent when both SPF and DKIM fail.

NOTE: Not all receiving systems support sending Forensic Reports back to the sending domain. OnDMARC is one of the only products that receive Forensic Reports from Yahoo due to our private partnership with them. It is therefore normal to have a lot more Forensic Reports in OnDMARC compared to other products.

For more information on the various DMARC tags and their meaning please click on the button below. 

For more information on how OnDMARC redacts information found in forensic reports please click on the button below.

Feel free to signup to a 14 days trial of OnDMARC by clicking on the button below.

Did this answer your question?