DMARC glossary

What does the rf tag mean in a DMARC record?

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

The rf tag declares the report format for failure (forensic) reports sent to your ruf= address. The only registered value is afrf — which is also the default — so the tag never changes anything. It's effectively vestigial: safe to omit, and DMARCbis drops it from the spec entirely.

rf at a glance
Tagrf (report format)
Valid valuesafrf — the only registered value (Authentication Failure Reporting Format, RFC 6591)
DefaultDefaults to afrf — identical behavior with or without the tag.
Where it goesNear the reporting tags, e.g. v=DMARC1; p=reject; ruf=mailto:forensics@yourdomain.com; rf=afrf;

How rf works

When DMARC was designed, the rf tag left room for multiple failure-report formats. Only one was ever registered: afrf, the Authentication Failure Reporting Format. Since afrf is both the only option and the default, publishing rf=afrf is a no-op — and publishing anything else asks for a format receivers can't produce.

Add that [forensic reports](/learning/what-is-a-ruf) are rarely sent at all — most receivers decline for privacy reasons — and rf becomes a tag with no practical effect in any direction. DMARCbis removes it. If a generator put it in your record, it's safe to delete; if it's absent, don't add it.

Correct record vs common mistake

Correct

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; ruf=mailto:forensics@yourdomain.com

No rf tag — afrf is the default and the only format anyway. This is the record with the dead weight removed.

Common mistake

v=DMARC1; p=reject; ruf=mailto:forensics@yourdomain.com; rf=iodef

iodef was never registered as a DMARC failure-report format — no receiver can honor this. Omit the tag instead.

Generate your DMARC record

Build the exact TXT record to publish — pick a policy, add a reporting address, copy. Free, no signup.

Used to show the exact host name to publish — the record itself doesn't contain it.

Start at none to observe, then tighten once reports look clean.

Where daily XML summaries are sent. Comma-separate multiple addresses.

Advanced options (sp, alignment, pct, ruf)

Subdomains inherit p unless you set this. Attackers love unused subdomains — reject is a strong choice once you're at enforcement.

Relaxed allows subdomain matches (mail.yourdomain.com signs for yourdomain.com). Strict requires an exact match — most domains should stay relaxed.

Same idea for the SPF (Return-Path) domain.

Applies quarantine/reject to a percentage of failing mail during rollout. Retired in DMARCbis — use briefly if at all.

Per-message failure samples. Rarely sent by large providers; contains message data.

Your DMARC record

Publish this as a TXT record in your DNS.

Host / Name

_dmarc.yourdomain.com

Value (TXT)

v=DMARC1; p=none;

Record type: TXT · TTL: your provider's default (e.g. 3600) is fine.

No rua address set — you'll get no aggregate reports, which means no visibility into who is sending as your domain. Add one before publishing.
p=none is monitoring mode: receivers report but deliver everything, including spoofed mail. It's the right starting point — plan to move to quarantine, then reject, once your reports show all legitimate senders passing.

After you publish

  1. Add the TXT record at your DNS host and allow up to an hour for propagation.
  2. Verify it with the free DMARC checker.
  3. Watch your aggregate reports, fix SPF and DKIM for every legitimate sender, then step up to quarantine and reject.

Troubleshooting rf

IssueLikely causeFix
Validator flags an unknown rf valueA non-registered format (like iodef) was published — only afrf existsRemove the rf tag entirely; the default is correct
rf=afrf present but no failure reports arriverf doesn't cause reports — most receivers don't send forensic reports regardlessCheck that ruf= is set if you want them, and expect sparse participation either way
Generator keeps adding rf=afrf to new recordsLegacy tooling emits every tag with defaults filled inStrip it during review — explicit defaults are clutter, not configuration

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

Like ri, rf is harmless in itself — the multi-tenant cost is clutter. Fifty client records padded with vestigial tags are fifty records that are harder to audit at a glance, and the tags that matter (p, sp, pct) hide in the noise.

Trusted by MSPs

Their responsive support, agent task lists, white-label reporting, and centralized dashboard make managing our customer domains, effortless.
Bobby GhoshalBobby Ghoshal CEO, dupe.com
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

Palisade keeps client DMARC records lean and evidence-driven: the tags that enforce, the reporting that feeds the automation, and none of the vestigial padding that makes hand-maintained records hard to audit.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

No. afrf is the default and the only registered format, so the tag adds nothing. Omit it.

The Authentication Failure Reporting Format (RFC 6591) — the standard structure for per-message DMARC failure reports. It's what any receiver that sends forensic reports uses.

Yes — DMARCbis, the upcoming revision of the standard, drops rf. One more reason not to add it to new records.

Related terms

What is DMARC? Email authentication explained