How to you tell the difference between rua and ruf DMARC reports

dmarc

I have a client that's receiving DMARC reports from various providers however the reports indicate that all checks 'PASS' and all DMARC/DKIM/SPF checking tools indicate the DMARC records are fine. The reports are in XML format and zipped up. Is there any easy way to tell the difference between rua and ruf reports? Are ruf reports delivered in a zip file like rua reports? My client believes that since he is receiving reports not at the exact same time everyday that they can't be rua reports however I'm not so sure.

Any help would be appreciated 🙂

Best Answer

Providers send aggregate reports at varying times. Many come at midnight UTC, but some providers like Microsoft often send hourly reports. Forensic reports come in neartime, usually about 5-10 minutes after the failing message hit the ISP's front end inbound mailers.

You can tell RUA from RUF reports apart pretty easily. An aggregate, or RUA report typically starts like:

--report_section
Content-Type: text/plain;

This is a DMARC aggregate report for yourdomain.com
generated at Mon Mar 23 03:53:50 UTC 2015

while a forensic or RUF report generall starts like:

--61204608-60BE-4D26-9E07-F450C5B0D826
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit

This is an email abuse report for an email message received from IP 10.10.10.10 on Mon Mar 23 04:01:02 UTC 2015.
The message below did not meet the sending domain's authentication policy.
For more information about this format please see http://www.ietf.org/rfc/rfc5965.txt.

--61204608-60BE-4D26-9E07-F450C5B0D826
Content-Type: message/feedback-report

You will also notice that an RUA report has (often gzipped) XML as an attachment, while the attachment for a RUF report is actual MIME. Few people try to manually read or verify either type of report. Services like Agari and Dmarcian are specifically built to interpret DMARC reporting.

Related Topic