RF= Reporting Format Tag

What is the RF= Reporting Format Tag in DMARC?

The rf (Reporting Format) tag in a DMARC record specifies the format used for forensic or failure reports sent to the domain owner. These reports are triggered when a message fails DMARC authentication and provide detailed diagnostic data about the failure. The rf tag tells receiving mail servers which file type or data structure to use when generating these reports, ensuring compatibility with the recipient’s analysis tools.

In practice, the most commonly used value for this tag is afrf (Authentication Failure Reporting Format), defined in RFC 6591. This standardized format allows consistent parsing of DMARC failure data across platforms and helps security teams understand exactly why authentication checks failed.

How the RF Tag Works

The rf tag appears within the domain’s DMARC record, published as a DNS TXT record. It defines the report format used for messages sent to the address specified in the ruf (forensic report URI) tag. Here’s an example of how it’s configured:

In this example:

• rua defines where aggregate reports are sent.
• ruf specifies where individual forensic reports are sent.
• rf=afrf indicates that those forensic reports will use the Authentication Failure Reporting Format.

While afrf is the only format officially supported by DMARC today, the tag remains in the specification to allow for future report formats. Including it explicitly in your record can improve interoperability with different mail providers.

Understanding AFRF (Authentication Failure Reporting Format)

AFRF is a standardized XML-based format that captures granular information about messages failing authentication. Each report typically includes:

• The sending and receiving IP addresses
• Message headers such as From, To, Subject, and Date
• The failed authentication mechanism (SPF, DKIM, or alignment)
• Diagnostic information from the receiving server
• Optionally, a redacted sample of the original message

These reports help security and deliverability teams pinpoint misconfigurations, identify unauthorized senders, and analyze spoofing or phishing attempts targeting the domain. Because they contain potentially sensitive data, many organizations restrict or anonymize failure reports before sharing them externally.

When to Use the RF Tag

Including the rf tag is recommended for any domain that enables forensic reporting via ruf. Although the afrf format is the default, specifying it explicitly ensures that report-generating systems understand your intended data structure and can deliver consistent, machine-readable results.

Use cases include:

• Debugging SPF or DKIM alignment issues
• Monitoring unauthorized or failed authentication attempts
• Analyzing how different mail receivers interpret your DMARC policy
• Tracking domain abuse across global email ecosystems

Because forensic reports are generated per message, they can be high in volume, so organizations often use a dedicated mailbox or third-party analysis service to collect and process them.

RF Tag and DMARCeye

DMARCeye automatically detects and interprets the rf tag from your published DMARC record. The platform ingests forensic reports formatted in AFRF, normalizes the data, and visualizes patterns of failed authentication to help organizations detect spoofing, identify configuration errors, and verify enforcement success.

By aggregating AFRF data with aggregate (RUA) reports, DMARCeye provides a complete view of domain activity. Administrators can see exactly which senders, IPs, and messages triggered failures and take quick corrective action to strengthen domain protection.

Sign up for a free trial of DMARCeye today and secure your email domain.

To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.