When you're working with DMARC, you'll encounter a series of 'tags' that act as instructions for mail servers. These tags are the building blocks of your DMARC policy, allowing you to specify how you want your emails to be handled. Think of them as individual settings that, together, create a comprehensive security policy for your domain.
Two of the most important functions of DMARC are instructing servers on what to do with unauthenticated mail and providing reports on email activity. These reports are crucial for understanding who is sending email on your behalf. There are two types of reports: aggregate (RUA) reports, which provide a high-level overview, and forensic (RUF) reports, which offer detailed, message-level data on failures. The rf tag is directly related to these forensic reports.
Understanding forensic (RUF) reports
Before we can understand the rf tag, we first need to look at the ruf tag. The ruf tag is used to specify one or more email addresses where you want to receive forensic DMARC reports. These reports are essentially redacted copies of individual emails that fail DMARC authentication. They are incredibly useful for debugging authentication issues or investigating malicious activity.
The purpose of the 'rf' tag
So, what is the purpose of the rf tag? Simply put, the rf tag specifies the desired format for these forensic reports. The value is a list of one or more reporting formats that the domain owner wants to receive.
The most common and, for all practical purposes, the only supported value for this tag is afrf, which stands for Authentication Failure Reporting Format. This is the standard format for this type of report. While the DMARC specification allows for other formats to be defined in the future, afrf is the one you will always use. If the rf tag is not included in your DMARC record, the default value is afrf.
How the 'rf' tag works with other DMARC tags
The rf tag doesn't work in isolation. It's part of a trio of tags that control forensic reporting. Its effectiveness is dependent on the ruf tag (which specifies the destination) and the fo tag (which specifies the trigger conditions). The fo tag lets the recipient mail server know if you want a sample of emails that failed authentication. The possible values determine which failures generate a report:
- fo=0: Generate a report if both SPF and DKIM fail to produce an aligned 'pass' result. This is the default value.
- fo=1: Generate a report if either SPF or DKIM produces a result other than 'pass'. This is more comprehensive.
- fo=d: Generate a report if the DKIM signature failed verification, regardless of its alignment.
- fo=s: Generate a report if the SPF evaluation failed, regardless of its alignment.
For these settings to work, you must have a ruf tag present. A complete forensic reporting setup in a DMARC record might look something like this: v=DMARC1; p=none; rua=mailto:agg@example.com; ruf=mailto:forensic@example.com; fo=1; rf=afrf;
Do you need the 'rf' tag?
Technically, since afrf is the default format, the rf tag is often optional if you have a ruf tag. However, it's good practice to include it for clarity and to explicitly state your intentions to the receiving mail server. It's important to note that many mailbox providers, including major ones like Gmail and Yahoo, have stopped sending RUF forensic reports due to privacy concerns. They primarily send RUA aggregate reports. Despite this, forensic reports are still supported by other providers and can be very valuable when you need to drill down into a specific delivery failure or potential spoofing attack.
In summary, the rf tag is a specific instruction within your DMARC record that declares the reporting format for forensic failure reports. While optional and defaulting to afrf, including it is a best practice for a complete and explicit DMARC forensic reporting configuration.
