What is the difference between aggregate (rua) and forensic (ruf) data?

Agari receives two different forms of reporting feedback via DMARC. These forms of reports are called: Aggregate Data (RUA) and Forensic Data (RUF). You can find any domain's DMARC reporting configuration using our DMARC Record lookup tool.

Aggregate Reporting

Aggregate Data is the data Agari uses to provide you with the information you will find under Analytics>Data Explorer. This does not contain any information such as To, From, Subject, or URIs.  Agari receives this information on a daily basis from participating receivers, with no intra-day granularity. This information includes data about messages that passed DMARC authentication as well as those that did not.

RUA data reports the following: 

• DMARC policy discovered and applied if any
• Selected message disposition
• Identifier evaluated by SPF and the SPF result
• Identifier evaluated by DKIM and the DKIM result
• DKIM and SPF alignment
• Data for each sender subdomain separately from the mail From: the sender's organizational domain (even if there is no explicit subdomain policy)
• Sending and receiving domains
• Policy requested by the domain owner and the policy actually applied
• Number of successful authentications
• Counts of messages based on all messages received even if their delivery is ultimately blocked by other filtering agents.

Depending on the ISP generating the RUA data, each domain's daily rollup may be sent to the reporting target immediately after the end of the UTC day, or as much as 24 hours later.

Forensic Reporting

Failure Reports are normally generated and sent almost immediately after the Mail Receiver detects an authentication failure. Rather than waiting for an aggregate report, these reports are useful for quickly notifying the Domain Owners when there is an authentication failure. You can locate this information by going to Analytics> Failure Samples. Whether the failure is due to an infrastructure problem or the message is inauthentic, failure reports also provide more information about the failed message than is available in an aggregate report.

Depending on the ISP generating the feedback reports, forensic data may not be sent, maybe heavily downsampled, and, or may have varying levels of detail included.

The consistent benefit in RUF data is that it provides sample visibility into message failures which a domain owner might see the volume for, via the RUA data.  The samples almost always provide visibility into SPF or DKIM signing and potential issues, and some portion of headers from the failed message; Subject, Date, and Message-ID, in particular, are always available.  Also, since the forensic data reports are sent at the time of failure, these may help a domain owner to understand the timeframe of a particular failed set of messages more discretely than RUA data where the day's reporting does not have per-hour granularity.

For further information, see DMARC specification.