What is the difference between aggregate (rua) and forensic (ruf) data?

Agari receives two different forms of reporting feedback via DMARC. These forms of reports are called; Aggregate Data (RUA) and Forensic Data (RUF). You can find any domain's DMARC reporting configuration via this tool: https://my.agari.com/dmarc_builder/lookup


Aggregate Reporting:

Aggregate data is the data we use to provide you with the information you will find under Analytics>Data Explorer. This does not contain any information such as To, From, Subject, or URIs.  Agari receives this information on a daily basis from participating receivers, with no intra-day granularity. This information includes data about messages that passed DMARC authentication as well as those that did not. The RUA data reports: The DMARC policy discovered and applied if any, the selected message disposition, the identifier evaluated by SPF and the SPF result, The identifier evaluated by DKIM and the DKIM result, DKIM and SPF alignment, Data for each sender sub domain separately from mail from the sender's organizational domain (even if there is no explicit sub domain policy), sending and receiving domains, the policy requested by the domain owner and the policy actually applied, number of successful authentications, and the counts of messages based on all messages received even if their delivery is ultimately blocked by other filtering agents.
Depending on the ISP generating the RUA data, each domain's daily rollup may be sent to the reporting target immediately after the end of the UTC day, or as much as 24 hours later.

Forensic Reporting:

Failure reports are normally generated and sent almost immediately after the Mail Receiver detects an authentication failure. Rather than waiting for an aggregate report, these reports are useful for quickly notifying the Domain Owners when there is an authentication failure. You can locate this information by going to Analytics> Failure Samples. Whether the failure is due to an infrastructure problem or the message is inauthentic, failure reports also provide more information about the failed message than is available in an aggregate report.
Depending on the ISP (and factors at the ISP as different times) generating the feedback reports, forensic data may not be sent, may be heavily downsampled, and may have varying levels of detail included.
The consistent benefit in RUF data is that it provides *SAMPLE* visibility into message failures which a domain owner might see the volume for, via the RUA data.  The samples almost always provide visibility into SPF or DKIM signing and potential issues, and some portion of headers from the failed message: Subject, Date, and Message-ID in particular are always available.  Also, since the forensic data reports are sent at the time of failure, these may help a domain owner to understand the timeframe of a particular failed set of messages more discretely than RUA data where the day's reporting does not have per-hour granularity.
To accommodate both data provider contracts with Agari (private channel agreements by which we receive large volumes of RUF data) and customer concerns over any potential exposure provided by RUF data, Agari retains only 7 days of history in this data.


For further information please refer to the DMARC specification: https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/?include_text=1

Have more questions? Submit a request


Please sign in to leave a comment.
Powered by Zendesk