When you're setting up DMARC, you have a lot of tags to consider. One of the most useful for diagnostics is the fo tag, which controls when you receive detailed failure reports. If you want to get reports for all types of DMARC failures, the correct value to use is fo=1.
This setting tells receiving mail servers to send you a forensic (RUF) report if an email claiming to be from your domain fails either the SPF or DKIM checks, providing a comprehensive view of potential issues or abuse.
Understanding the 'fo' tag options
The fo tag, which stands for "failure options", is a powerful tool for debugging your email setup. DMARC requires either SPF or DKIM to pass and align for an email to be considered authentic. The DMARC fail error message appears when a message fails this process. The fo tag allows you to specify under which conditions you want a detailed report about these failures. Here are the available options:
- fo=0: This is the default setting. It generates a failure report only if your message fails both SPF and DKIM alignment checks. It’s the least verbose option.
- fo=1: This option generates a failure report if the message fails either the SPF or DKIM check. This is the value you need to request reports for all failures, giving you the most insight.
- fo=d: This requests a report only if the message fails the DKIM check, regardless of the SPF result.
- fo=s: This requests a report only if the message fails the SPF check, regardless of the DKIM result.
Why use failure reports?
Failure reports, also known as forensic or RUF reports, are invaluable. They are different from the aggregate (RUA) reports that provide a high-level summary. Forensic reports contain detailed information about individual failed messages, including headers and sometimes even the body of the email. This level of detail helps you diagnose complex authentication issues and identify malicious actors attempting to spoof your domain.
However, there's a catch. Because these reports can contain personally identifiable information (PII), many mailbox providers are reluctant to send them due to privacy concerns. As a result, you won't receive forensic reports from every provider, even with fo=1 configured. Despite this, they remain a useful tool where available.
How to implement the 'fo' tag in your DMARC record
Adding the fo tag to your DMARC record is straightforward. It's just another key-value pair within your DMARC TXT record. Here is an example of a record that requests failure reports for any type of failure:
v=DMARC1; p=none; rua=mailto:dmarc-agg@example.com; ruf=mailto:dmarc-forensic@example.com; fo=1;
In this record, ruf=mailto:dmarc-forensic@example.com specifies the email address where forensic reports should be sent, and fo=1 is the instruction to send reports for any failure. Ensuring correct syntax is critical, as a small mistake can invalidate the entire record.
In summary, if your goal is to gather the maximum amount of data on DMARC failures, setting fo=1 in your DMARC record is the way to go. It provides the detailed forensic reports needed to fully understand your email authentication landscape and protect your domain's reputation.
What DMARC tag specifies forensic reports?
Does the DMARC 'pct' tag affect aggregate reports?
What is the default value for the DMARC 'p' tag?
Which DMARC tag specifies the policy for subdomains?
What does the 'ruf' DMARC tag stand for?
What DMARC policy allows for email delivery but marks suspicious emails?
