What are RUA and RUF in DMARC?

DMARC (Domain-based Message Authentication Reporting & Conformance) is an email validation and authentication system used to detect fraud, such as phishing and impersonation, and improve email deliverability.

DMARC works by protecting your domain and providing visibility over it through two reports: aggregated reports (RUA) and forensic reports (RUF).

To put it another way, DMARC allows you to have control over the use of your domain, preventing cybercriminals from applying scams and attacks using your domain, brand, and reputation.

Imagine that a bad guy is using your domain. This crook has sent emails to your clients and partners to steal data and money from them. The worst thing is that the email model is very similar to the one that you usually send. In these cases, it’s difficult to even convince your customers that it was a fake one.

The result of this kind of scam is that your brand and reputation can be damaged, with possible financial losses for the business.

How DMARC's validation process works

DMARC works by providing instructions for email servers. How? through a DMARC policy published in the DNS.

Basically, DMARC uses two email authentication protocols, SPF and DKIM, to help email servers identify whether a message is legitimate or not, and take action, such as sending the message to quarantine. It all depends, in fact, on how the policy was configured by the domain owner.

In addition, DMARC allows domain owners to receive reports on emails that have been delivered and/or rejected.

The difference between DMARC's RUA and RUF reports

RUA: what is a DMARC aggregate report?

RUA is a more general type of report. It provides an overview of all traffic or usage for a domain. In practice, aggregate reports (RUA) contain information about the result of authenticated emails and the source that sent them. That is, the domain used, the IP and the number of emails sent in a given period.

Aggregate reports may contain the following information:

• Organization name.
• Organization sending email address.
• Extra contact information.
• Report ID number.
• Date range.
• Header domain/from domain.
• Alignment for DKIM and SPF.
• Domain and subdomain policies (reject).
• Percentage of messages to which the DMARC policy is to be applied.
• IP information.
• Total of IPs.
• SPF and DKIM authentication result.

RUF: what is a DMARC forensic report?

We could say that RUF is a more complete report because it includes additional data about emails, such as subject, header, and information about attachments and URLs. A forensic report (RUF) may even be a complete copy of an email.

Due to compliance and privacy issues, many companies and organizations end up choosing not to request RUF reports. The goal is to prevent data breaches and to comply with laws and regulations that deal with sensitive and personal data.

Forensic reports may contain the following information:

• IP information.
• Subject line.
• Time.
• SPF, DKIM, and DMARC results.
• ISP information.
• From domain information.
• Message ID.
• URLs.
• Delivery result.

Why use DMARC

Using DMARC, your company can improve its email delivery capabilities and, at the same time, protect itself against different types of attacks and threats, such as spam, phishing, and spoofing campaigns.

When properly configured, DMARC ensures that you have visibility into the use of your domain. In this way, only authorized senders can send emails.

It’s an extra layer of security that prevents cybercriminals from using your brand and reputation to commit scams and fraud.