DMARC fo Tag

What Is the DMARC fo Tag?

The DMARC fo tag defines when a mail server should generate forensic (failure) reports, i.e., detailed messages that provide insight into why an email failed authentication.

It’s an optional parameter within a DMARC record that tells receiving servers which types of failures to report back to the domain owner, helping administrators diagnose authentication issues more precisely.

How the DMARC fo Tag Works

The fo tag appears in your DMARC DNS record and can take several values that determine reporting conditions:

• fo=0 – Send a failure report if both SPF and DKIM fail to align (default behavior).
• fo=1 – Send a failure report if either SPF or DKIM fails to align.
• fo=d – Send a report if DKIM alignment fails.
• fo=s – Send a report if SPF alignment fails.

For example:

This record tells mail servers to send forensic reports for any SPF or DKIM alignment failure.

Practical Use of the fo Tag

The fo tag is a powerful tool for troubleshooting DMARC authentication. It allows domain owners to understand why messages fail, not just that they failed.

By receiving detailed samples of problematic emails, administrators can quickly identify:

• Legitimate services that are misconfigured or not signing mail properly
• Spoofing attempts that target the domain
• Alignment or DNS errors causing false failures

However, because forensic reports may contain portions of the original message, they should be sent only to secure and authorized destinations, typically defined by the ruf= tag.

DMARC fo and DMARCeye

DMARCeye helps organizations manage and interpret the data produced by DMARC’s fo tag.

Rather than manually parsing failure reports, DMARCeye aggregates them into clear dashboards and summaries — highlighting which authentication mechanisms failed, from which sources, and how often.

This visibility enables teams to correct misconfigurations, identify abuse, and maintain a strong authentication posture across all sending services.