DMARC fo Tag Explained
The DMARC fo tag controls forensic reporting behavior where providers support it. It tells receivers under which failure conditions they may generate failure or forensic reports. Different fo values adjust how strict or broad that reporting trigger is.
One-Minute Fix
Use the fo tag only if you understand how forensic reporting works and you have a valid reporting address configured to receive those reports.
v=DMARC1; p=none; fo=1; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.comThe fo=1 setting requests a forensic report when either SPF or DKIM produces a failure relevant to DMARC, where providers support that behavior.
Re-checkWrong vs correct setup
Wrong setup
v=DMARC1; p=none; fo=1; ruf=mailto:missing@example.comThis is broken operationally if the ruf mailbox does not exist or cannot receive reports. The tag may be syntactically valid, but reporting still will not work as intended.
Correct setup
v=DMARC1; p=none; fo=1; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.comThis is the correct pattern when you want forensic reporting and you have a valid ruf destination that can receive reports.
Why this matters
The fo tag controls when forensic reports may be generated, but provider support for these reports is inconsistent. Domains that add fo without understanding ruf, reporting volume, or provider behavior often expect data that never arrives.
Why this is a problem
- Teams may expect forensic data that many providers never send.
- An invalid ruf destination makes the setting operationally useless.
- Forensic reporting can generate noise if not planned properly.
- Misunderstanding fo can make DMARC reporting strategy harder to manage.
How this affects deliverability
The fo tag does not usually affect inbox placement directly, but it affects your visibility into failures. A correct forensic reporting setup can help investigations, while a misunderstood one creates confusion and false expectations.
Common causes
- The fo tag was copied from a template without understanding it.
- The ruf mailbox was never configured.
- Teams expected all providers to send forensic reports.
- Reporting strategy was designed without considering report volume or privacy constraints.
What we checked
We reviewed whether the DMARC record includes an fo tag and whether the surrounding reporting configuration appears consistent with forensic reporting use.
Live DNS lookup. No login. No saved domains. No tracking.
FAQ
What does fo=1 do?
It requests a forensic report when either SPF or DKIM produces a failure condition relevant to DMARC, where the receiver supports that reporting behavior.
Will all providers send forensic reports?
No. Provider support for forensic reporting is inconsistent, and many major providers send few or no ruf reports.
Do I need ruf if I use fo?
Yes. Without a valid ruf destination, the fo setting has nowhere useful to send forensic reports.
Next steps
- Decide whether you actually need forensic reports.
- Make sure the ruf mailbox exists and accepts incoming mail.
- Use fo only with a reporting strategy you understand.
- Do not assume all providers will send ruf reports.
- Re-run the check after updating the record.
- Review the full troubleshooting guidance in the DMARC Hub.
- Explore sender authorization issues in the SPF Hub.
- Check signing and selector issues in the DKIM Hub.