When you're setting up a DMARC record, you'll come across several different tags that control how reports are handled. A common point of confusion is the purpose of the fo tag. While the question asks about aggregate report formatting, it's important to clarify that the fo tag is actually used to request forensic (or failure) reports, not aggregate reports. These are two distinct types of DMARC reports.
Aggregate reports are requested using the rua tag and provide high-level, XML-based summaries of your email traffic. The fo tag, on the other hand, works in conjunction with the ruf tag to specify the conditions under which you'd like to receive detailed failure reports.
Understanding the 'fo' tag values
The fo tag specifies the reporting options for failure reports. It tells receiving mail servers when to generate a forensic report. The value is a colon-separated list of characters, but you'll typically use just one. Here are the options:
- fo=0: This is the default value. It requests a forensic report only if an email fails both SPF and DKIM authentication checks (i.e., it fails DMARC alignment).
- fo=1: This requests a forensic report if an email fails either the SPF or DKIM check. This is more sensitive than the default and will generate more reports.
- fo=d: This option requests a report specifically if the email fails the DKIM authentication check.
- fo=s: This option requests a report specifically if the email fails the SPF authentication check.
So, a DMARC record configured for forensic reports might look something like this: v=DMARC1; p=none; rua=mailto:agg@example.com; ruf=mailto:forensic@example.com; fo=1;. In this example, the domain owner requests aggregate reports at one address and forensic reports (for any failure) at another.
Why you might not need the 'fo' tag
While forensic reports sound useful, they come with significant downsides, which is why their use is not widespread. The primary issue is privacy. A forensic report is essentially a full copy of the failing email, including headers, body content, and attachments. This can expose personally identifiable information (PII) or other sensitive data.
Because of these privacy concerns, most major mailbox providers, including Google and Microsoft, have stopped sending forensic reports. They will honor the rua tag for aggregate data but will ignore the ruf and fo tags.
For the vast majority of domain owners, aggregate reports provide all the necessary information to monitor email channels, identify unauthorized senders, and move toward a strict p=quarantine or p=reject policy without the privacy risks or limited support of forensic reports. Unless you have a specific, critical need to analyze the full content of failing emails, I recommend omitting the ruf and fo tags from your DMARC record.
What DMARC tag specifies forensic reports?
Does the DMARC 'pct' tag affect aggregate reports?
Does the 'ri' DMARC tag control aggregate report intervals in seconds?
What DMARC 'fo' tag value requests failure reports for all failures?
What is the purpose of the 'rf' DMARC tag?
What is the DMARC 'aspf' tag for?
