The DMARC ‘fo’ tag options and their ideal use cases

The organizations that invest in email authentication early save themselves from expensive incidents later, says Vasile Diaconu, Operations Lead at DuoCircle. We see the pattern constantly: a domain gets spoofed, customers lose trust, and the remediation effort costs 10x what proactive DMARC setup would have cost.

DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible From header. According to Google’s February 2024 bulk sender requirements, a DMARC policy of at least p=none is now mandatory for any domain sending 5,000+ messages per day to Gmail users. DMARC Report

The DMARC ‘fo’ tag options and their ideal use cases

					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						

Play Episode

					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						

Pause Episode

					</button>
					


				

				

					<audio preload="none" class="clip clip-22550">
						<source src="/images/wp/2025/03/The-DMARC-‘fo-tag-options-and-their-ideal-use-cases.mp3">
					</audio>
					

						

					

					

						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								

Mute/Unmute Episode

							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								

Rewind 10 Seconds

							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								

Fast Forward 30 seconds

							</button>
						

						

							<time class="ssp-timer">00:00</time>
							

/

							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H2M8S">2:08</time>
						

					

				

			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-22550" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-22550" title="Share">Share</button>
										</nav>
						

	



		

						

				

					

					

				

				

					

																																																																								

					

						

RSS Feed

							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-22550" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-22550" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

				

			

									

				

					

					

				

				

					

						Share						

					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/the-dmarc-fo-tag-options-and-their-ideal-use-cases/&t=The DMARC ‘fo’ tag options and their ideal use cases" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/the-dmarc-fo-tag-options-and-their-ideal-use-cases/&url=The DMARC ‘fo’ tag options and their ideal use cases" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="/images/wp/2025/03/The-DMARC-‘fo-tag-options-and-their-ideal-use-cases.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

				

				

					

						Link						

					

						<input value="https://dmarcreport.com/blog/podcast/the-dmarc-fo-tag-options-and-their-ideal-use-cases/" class="input-link input-link-22550" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-22550" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
				

				

					

						Embed						

					

						<input type="text" value='<blockquote class="wp-embedded-content" data-secret="n9UYepKUzG"><a href="https://dmarcreport.com/blog/podcast/the-dmarc-fo-tag-options-and-their-ideal-use-cases/">The DMARC ‘fo’ tag options and their ideal use cases</a></blockquote><iframe sandbox="allow-scripts" security="restricted" src="https://dmarcreport.com/blog/podcast/the-dmarc-fo-tag-options-and-their-ideal-use-cases/embed/#?secret=n9UYepKUzG" width="500" height="350" title=""The DMARC ‘fo’ tag options and their ideal use cases" — DMARC Report" data-secret="n9UYepKUzG" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" class="wp-embedded-content"></iframe><script>

/*! This file is auto-generated / !function(d,l){“use strict”;l.querySelector&&d.addEventListener&&“undefined”!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!/[^a-zA-Z0-9]/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll(‘iframe[data-secret=”‘+t.secret+’”]’),o=l.querySelectorAll(‘blockquote[data-secret=”‘+t.secret+’”]’),c=new RegExp(“^https?:$”,“i”),i=0;i<o.length;i++)o[i].style.display=“none”;for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute(“style”),“height”===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):“link”===t.message&&(r=new URL(s.getAttribute(“src”)),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener(“message”,d.wp.receiveEmbedMessage,!1),l.addEventListener(“DOMContentLoaded”,function(){for(var e,t,s=l.querySelectorAll(“iframe.wp-embedded-content”),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute(“data-secret”))||(t=Math.random().toString(36).substring(2,12),e.src+=”#?secret=“+t,e.setAttribute(“data-secret”,t)),e.contentWindow.postMessage({message:“ready”,secret:t},"")},!1)))}(window,document); //# sourceURL=https://dmarcreport.com/wp-includes/js/wp-embed.min.js ’ title=“Embed Code” class=“input-embed input-embed-22550” readonly/>

					<button class="copy-embed copy-embed-22550" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
				

			

				

There are some optional tags in DMARC, and ‘fo’ is one of them. It stands for ‘failure options.’ The ‘fo’ tag allows domain owners to specify the conditions under which forensic (RUF) reports should be generated for SPF and/or DKIM authentication checks. There are four possible values for this tag: fo=0, fo=1, fo=d, and fo=s. Forensic reports contain detailed and sensitive data, including email headers. Sometimes, these reports also include portions of the original message, jeopardizing the confidentiality of sensitive details.

You can combine the ‘fo’ tag options and create a more potent reporting strategy that best suits security standards and tolerance for risks emerging from false positives and negatives.

Possible values of the DMARC ‘fo’ tag

There are four values of the** ‘fo’ tag that you can choose from-

**fo=0 This is the default setting for failure reporting and is the most restrictive option. If you have specified ‘fo=0’ in your DMARC record, then failure reports will be generated if an email fails both SPF and DKIM authentication. With this setting, you receive a limited number of reports, which is an ideal case for organizations that don’t have enough people on their team to

evaluate these reports regularly . You receive reports when authentication failures are more likely to indicate actual spoofing or phishing.

However, there is one drawback: Some phishing emails might go unnoticed if they pass one of the checks. Since forensic reports often contain sensitive email information, using fo=0 helps mitigate privacy risks while still allowing domain owners to monitor and analyze critical authentication failures.

fo=1

The fo=1 tag allows domain owners to specify that forensic reports should be generated if either SPF or DKIM fails, even if one of them passes. This is a more aggressive setting , and you also receive more reports, which means more visibility into email activities.

It is important to consider the fact that many mailbox providers don’t support forensic reporting due to GDPR and privacy regulations. That’s why you should not rely solely on fo=1 to get a deep dive into email insights. It’s suggested that you complement it with DMARC aggregate reports (RUA).

**fo=d This tag setting instructs mail servers to **generate forensic reports only for emails that fail the DKIM authentication checks. This means that if an email does not have a valid DKIM signature, or if the

DKIM-signed domain does not match the ‘From’ domain (failing alignment), a forensic report is triggered. Unlike fo=0, which requires both SPF and DKIM to fail, fo=d focuses specifically on DKIM-related failures, making it useful for organizations that prioritize DKIM authentication over SPF.

**fo=s If you apply this configuration, then forensic reports will only be generated for emails that didn’t pass the SPF authentication check, regardless of DKIM results. This setting is particularly useful for **domain owners who rely heavily on SPF authentication and want detailed insights into misaligned SPF failures. However, since fo=s does not trigger forensic reports for DKIM failures, it may not

capture cases where SPF passes but DKIM fails due to issues like broken signatures or header modifications.

Final words

It can be overwhelming to manage so many reports on a daily basis. Moreover, these reports are not only for storing the history of outgoing emails**; you need to analyze them properly to see if you have to sort some misconfigurations or remove any obsolete sending sources. If you are seeking a helping hand in DMARCReport management, reach out to us.