ARF: Abuse Reporting Format

What it does

When a recipient marks one of your messages as spam, or when their mail server's DMARC check fails on a message claiming to be from you, the receiving organisation can send back an ARF report. The report is a multipart/report email with three parts: a human-readable description, a structured key=value report metadata block, and a copy of the original message (or just its headers).

ARF is the underlying transport for DMARC forensic (ruf=) reports. If you've published ruf= in your DMARC record, the failure reports you receive are ARF-formatted.

Mailbox providers (Gmail, Yahoo, Microsoft, Comcast) also operate Feedback Loops that send ARF reports when their users hit 'spam.' Sending ESPs subscribe to these loops and use the data to throttle their abusive customers.

How it works

1. Operator subscribes to a mailbox provider's Feedback Loop and provides a reporting address (or publishes ruf= in DMARC for the auth-failure flavour).
2. When a triggering event occurs (spam mark or DMARC failure), the provider constructs an ARF report.
3. The report is sent as a multipart/report message with feedback-type, source-ip, original-mail-from, and the original message body or headers.
4. Sender parses the report to identify the original message + the user who reported, then takes action (suppress the user, fix the SPF gap, etc.).

Example record

(ARF report sample)

Common pitfalls

• Treating ARF reports as deliverability noise. Each one is a real user hitting 'spam' — read them.
• Not subscribing to Feedback Loops. Gmail's bulk-sender feedback loop is free; ESPs subscribe so they can suppress your abusive recipients before reputation damage compounds.
• Using the same mailbox for ARF and rua reports. ARF reports are larger and noisier; separate mailboxes make triage easier.

Related tools