16

I've searched all over Google and unable to find why these reports are named "rua" and "ruf".

They don't seem random, but also don't appear to easily translates in an obvious way to their definitions.

From the DMARC RFC:

rua: Addresses to which aggregate feedback is to be sent

ruf: Addresses to which message-specific forensic information is to be reported

Ok so I'm guessing maybe the "a" maps to "aggregate" and "f" maps to forensic. But what does the "ru" part mean?

cavalcade
  • 311
  • 1
  • 3
  • 6

2 Answers2

18

From the Domain-based Message Authentication, Reporting, and Conformance (DMARC) RFC section 11.4 (DMARC Tag Registry):

rua: Reporting URI(s) for aggregate data

ruf: Reporting URI(s) for failure data

Unless you enable reporting or use addresses matching the policy domain, neither rua nor ruf should do anything. See the RFC section 7.1 for details.

You should have at least a working rua address while configuring DMARC. It will allow you to verify that your DMARC configuration is working as expected.

The rua address is the address to which aggregate reports are sent by domains that have received mail claiming to be from your domain. I've only received reports from Gmail, Yahoo and Microsoft. The report is in XML contained in a zip file. I process the reports with a script that loads the data into a database for review.

Reports are sent periodically by the receiving domain only if you have sent them mail within the report period. Most smaller domains do not support DMARC, but the major domains do. Correctly configuring SPF, DKIM an DMARC will improve the credibility of your mail server. Baring other issues, your email should avoid the spam folder.

The ruf address is the address to which you want forensic data sent when messages that do not comply with your policy are received. I've received one report of this type. These records may help you determine whether your domain is being spoofed or if you have a configuration issue. I find the rua reports are sufficient for my needs. None of the above domains have sent me a forensic report.

Community
  • 1
BillThor
  • 27,354
  • 3
  • 35
  • 69
  • 2
    Perhaps the question was worded badly? While I know what they do and how they work I'm looking for *why* they are named as they are. One suggestion that @Michael Hampton says is ruf stands for "Report URI Aggregate". However it also seems this is speculation and no links to any specific source. – cavalcade Sep 16 '16 at 03:56
  • 4
    @MattTagg Updated with reference to the RFC where all the tags are documented. – BillThor Sep 16 '16 at 13:23
  • 1
    Exactly what I was hoping for. For some reason, I wasn't able to find it in the RFC until you pointed it out. Thank you! – cavalcade Sep 19 '16 at 00:47
0

We just finished updating our Ultimate Guide to DMARC Reporting in 2022

We did a deep dive into DMARC Tags which are made up of multiple tag-value pairs that are used to tell an email server how it should treat a particular email based on the sending domain’s DMARC record.

Each tag-value pair has its own unique meaning, which together can provide more information about what actions need to be taken for each specific sender.

RUA Report Email Address (rua): Create separate email addresses for sending aggregated reports, separated by commas. It is possible to use mailto: links to submit reports by mail. You use this email to receive DMARC reports as an .XML file.

RUF Report Email Address (ruf): Create separate email addresses to submit failure reports, separated by commas. Specifying this tag implies that the owner requires recipient servers to send detailed reports on every message that fails DMARC validation. You use this email to receive failure reports which occur when an email fails SPF or DKIM alignment.

Jesse Hernandez
  • 21
  • 1