DMARC glossary
What does the rf tag mean in a DMARC record?

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026
The rf tag declares the report format for failure (forensic) reports sent to your ruf= address. The only registered value is afrf — which is also the default — so the tag never changes anything. It's effectively vestigial: safe to omit, and DMARCbis drops it from the spec entirely.
rf at a glance | |
|---|---|
| Tag | rf (report format) |
| Valid values | afrf — the only registered value (Authentication Failure Reporting Format, RFC 6591) |
| Default | Defaults to afrf — identical behavior with or without the tag. |
| Where it goes | Near the reporting tags, e.g. v=DMARC1; p=reject; ruf=mailto:forensics@yourdomain.com; rf=afrf; |
How rf works
When DMARC was designed, the rf tag left room for multiple failure-report formats. Only one was ever registered: afrf, the Authentication Failure Reporting Format. Since afrf is both the only option and the default, publishing rf=afrf is a no-op — and publishing anything else asks for a format receivers can't produce.
Add that [forensic reports](/learning/what-is-a-ruf) are rarely sent at all — most receivers decline for privacy reasons — and rf becomes a tag with no practical effect in any direction. DMARCbis removes it. If a generator put it in your record, it's safe to delete; if it's absent, don't add it.
Correct record vs common mistake
Correct
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; ruf=mailto:forensics@yourdomain.comNo rf tag — afrf is the default and the only format anyway. This is the record with the dead weight removed.
Common mistake
v=DMARC1; p=reject; ruf=mailto:forensics@yourdomain.com; rf=iodefiodef was never registered as a DMARC failure-report format — no receiver can honor this. Omit the tag instead.
Generate your DMARC record
Build the exact TXT record to publish — pick a policy, add a reporting address, copy. Free, no signup.
Used to show the exact host name to publish — the record itself doesn't contain it.
Start at none to observe, then tighten once reports look clean.
Where daily XML summaries are sent. Comma-separate multiple addresses.
Advanced options (sp, alignment, pct, ruf)
Subdomains inherit p unless you set this. Attackers love unused subdomains — reject is a strong choice once you're at enforcement.
Relaxed allows subdomain matches (mail.yourdomain.com signs for yourdomain.com). Strict requires an exact match — most domains should stay relaxed.
Same idea for the SPF (Return-Path) domain.
Applies quarantine/reject to a percentage of failing mail during rollout. Retired in DMARCbis — use briefly if at all.
Per-message failure samples. Rarely sent by large providers; contains message data.
Your DMARC record
Publish this as a TXT record in your DNS.
_dmarc.yourdomain.com
v=DMARC1; p=none;
Record type: TXT · TTL: your provider's default (e.g. 3600) is fine.
After you publish
- Add the TXT record at your DNS host and allow up to an hour for propagation.
- Verify it with the free DMARC checker.
- Watch your aggregate reports, fix SPF and DKIM for every legitimate sender, then step up to quarantine and reject.
Troubleshooting rf
| Issue | Likely cause | Fix |
|---|---|---|
| Validator flags an unknown rf value | A non-registered format (like iodef) was published — only afrf exists | Remove the rf tag entirely; the default is correct |
| rf=afrf present but no failure reports arrive | rf doesn't cause reports — most receivers don't send forensic reports regardless | Check that ruf= is set if you want them, and expect sparse participation either way |
| Generator keeps adding rf=afrf to new records | Legacy tooling emits every tag with defaults filled in | Strip it during review — explicit defaults are clutter, not configuration |
See this on your own domain
Enter your domain — the check runs instantly on the next page. Free, no signup.
Why it matters for MSPs
Like ri, rf is harmless in itself — the multi-tenant cost is clutter. Fifty client records padded with vestigial tags are fifty records that are harder to audit at a glance, and the tags that matter (p, sp, pct) hide in the noise.
Trusted by MSPs
“Their responsive support, agent task lists, white-label reporting, and centralized dashboard make managing our customer domains, effortless.”
Bobby Ghoshal — CEO, dupe.com

































Enforce it — don't just monitor it
Palisade keeps client DMARC records lean and evidence-driven: the tags that enforce, the reporting that feeds the automation, and none of the vestigial padding that makes hand-maintained records hard to audit.
Free 15-day trial · No credit card · Your own domain free forever (NFR)