Forensic Reports Guide
Individual failure incidents, threat levels, and resolution
Forensic (RUF) Reports
Forensic reports provide detailed information about individual email messages that failed DMARC authentication. Unlike aggregate reports (which are statistical summaries), forensic reports describe specific failure incidents.
Summary Cards
The top of the page shows incident-level metrics:
| Card | What It Shows |
|---|---|
| Total Incidents | Total number of forensic failure incidents reported |
| Unresolved | Incidents that have not yet been investigated or resolved |
| Critical / High | Incidents classified as critical or high threat level |
| Medium / Low | Lower-severity incidents that may still warrant review |
Threat Level Breakdown
A visual breakdown showing how many incidents fall into each threat level. Critical incidents (e.g., spoofing from unknown sources with zero authentication) should be investigated first.
Incidents Table
Lists individual failure incidents with columns for:
- Domain — the affected domain
- Source IP — the IP address that sent the failing email
- Failure Type — what failed (SPF, DKIM, or both)
- Threat Level — severity classification (critical, high, medium, low)
- Date — when the incident was reported
Resolution Workflow
For each incident, you can take one of the following actions:
- Investigate — mark the incident as under investigation
- Resolve — mark the incident as resolved after taking corrective action
- Dismiss — mark as a known or acceptable failure (e.g., test email)
Forensic vs Aggregate Reports
| Aspect | Aggregate (RUA) | Forensic (RUF) |
|---|---|---|
| Content | Statistical summaries of all email | Details of individual failure incidents |
| Frequency | Daily (typically) | Per-incident (when failures occur) |
| Use Case | Monitor overall compliance trends | Investigate specific failures and spoofing |
| Availability | All major providers send these | Limited — many providers do not send forensic reports |
Tip
Not all email receivers send forensic reports. Google does not send them. Microsoft and some other providers may send them depending on your DMARC policy and their own policies. Aggregate reports are the primary data source for monitoring — forensic reports supplement them with incident-level detail when available.