DMARC glossary

What does the fo tag mean in DMARC? (fo=1 explained)

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

The fo tag sets failure-reporting options — when receivers should generate a forensic report to your ruf= address. fo=0 (the default) reports only when both SPF and DKIM fail aligned; fo=1 reports when either fails. d and s trigger on DKIM or SPF failures specifically, combinable as fo=1:d:s.

fo at a glance
Tagfo (failure reporting options)
Valid values0 · 1 · d · s — combinable, colon-separated (e.g. fo=1:d:s)
DefaultDefaults to 0 — report only when both SPF and DKIM fail to produce an aligned pass.
Where it goesAfter the policy tags, e.g. v=DMARC1; p=quarantine; ruf=mailto:forensics@yourdomain.com; fo=1;

How fo works

Forensic (failure) reports are per-message snapshots sent when something fails — unlike the daily aggregate summaries sent to rua= (see [what a RUF address is](/learning/what-is-a-ruf)). The fo tag tunes the trigger: 0 fires only on a full DMARC failure, 1 fires when either SPF or DKIM fails to align, d fires on a DKIM signature failure, and s fires on an SPF failure. fo=1 is the popular debugging choice because it surfaces partial failures — the early warnings.

Two things keep fo firmly in the 'minor tag' category. First, it only matters if you've set a ruf= address — without one, there's nowhere to send failure reports and the tag is inert. Second, most large receivers don't send forensic reports at all, regardless of fo, because per-message reports can leak personal data and message content. Gmail, for one, doesn't send them.

Practical stance: aggregate reports do the real rollout work. If you do run a ruf= mailbox, fo=1 extracts the most signal from the few receivers that participate — just don't build your process around a report stream that may never arrive.

Correct record vs common mistake

Correct

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; ruf=mailto:forensics@yourdomain.com; fo=1

fo=1 paired with a ruf= address — reports on any partial failure, from the receivers that send them at all.

Common mistake

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; fo=1

fo without a ruf= address does nothing — there's no destination for failure reports. Either add ruf= or drop the tag.

Generate your DMARC record

Build the exact TXT record to publish — pick a policy, add a reporting address, copy. Free, no signup.

Used to show the exact host name to publish — the record itself doesn't contain it.

Start at none to observe, then tighten once reports look clean.

Where daily XML summaries are sent. Comma-separate multiple addresses.

Advanced options (sp, alignment, pct, ruf)

Subdomains inherit p unless you set this. Attackers love unused subdomains — reject is a strong choice once you're at enforcement.

Relaxed allows subdomain matches (mail.yourdomain.com signs for yourdomain.com). Strict requires an exact match — most domains should stay relaxed.

Same idea for the SPF (Return-Path) domain.

Applies quarantine/reject to a percentage of failing mail during rollout. Retired in DMARCbis — use briefly if at all.

Per-message failure samples. Rarely sent by large providers; contains message data.

Your DMARC record

Publish this as a TXT record in your DNS.

Host / Name

_dmarc.yourdomain.com

Value (TXT)

v=DMARC1; p=none;

Record type: TXT · TTL: your provider's default (e.g. 3600) is fine.

No rua address set — you'll get no aggregate reports, which means no visibility into who is sending as your domain. Add one before publishing.
p=none is monitoring mode: receivers report but deliver everything, including spoofed mail. It's the right starting point — plan to move to quarantine, then reject, once your reports show all legitimate senders passing.

After you publish

  1. Add the TXT record at your DNS host and allow up to an hour for propagation.
  2. Verify it with the free DMARC checker.
  3. Watch your aggregate reports, fix SPF and DKIM for every legitimate sender, then step up to quarantine and reject.

Troubleshooting fo

IssueLikely causeFix
No failure reports despite fo=1Most receivers don't send forensic reports for privacy reasons — Gmail among themExpected. Use aggregate (rua=) reports as the primary data source; treat any ruf mail as a bonus
fo tag present but ignoredNo ruf= address in the record — fo has no destination to act onAdd ruf=mailto:<address> if you want failure reports, or remove fo
Failure-report mailbox flooded during rolloutfo=1 fires on every partial failure — a busy unaligned sender generates a report per messageScope the debugging window, then tighten back to fo=0 or fix the unaligned sender causing the volume

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

Forensic reports can contain message content and recipient addresses — real client data. Pointing 50–200 tenants' ruf= at a shared, casually-secured mailbox is a privacy incident waiting to be discovered. If you enable failure reporting at all, treat that mailbox like the sensitive data feed it is.

Trusted by MSPs

Their responsive support, agent task lists, white-label reporting, and centralized dashboard make managing our customer domains, effortless.
Bobby GhoshalBobby Ghoshal CEO, dupe.com
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

Palisade does its rollout work from aggregate reports — the reliable, privacy-safe stream every major receiver actually sends — so client domains reach enforcement without depending on forensic reports that may never arrive.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

Send a failure report when either SPF or DKIM fails to produce an aligned pass — not just when both do. It's the most verbose single option, useful when debugging a specific sender.

Most receivers simply don't send them, for privacy reasons — that's the norm, not a misconfiguration. Check that ruf= is set and valid, then rely on aggregate (rua=) reports for coverage.

Yes — colon-separated, like fo=1:d:s. Each listed condition can trigger a report.

Only if you use ruf= and want a different trigger than the default fo=0. No ruf=, no reason for fo.

Related terms

What is DMARC? Email authentication explained