What are DMARC Tags? [DMARC fo=1, fo=0, fo=d, fo=s]

DMARC is a technology that reduces the number of spam and phishing emails by exchanging information between the addresser and the recipient. The recipient provides information about the mail authentication infrastructure. And the sender tells what to do if the message fails verification. So what are DMARC tags? Let’s find out in our article.

How DMARC Works?

DMARC is designed to integrate with minimal effort into any mailing process. Moreover, it helps determine if the message matches what the recipient knows about the sender. Or, more simply: can this sender be trusted? If yes, the subscriber receives the message, if not, the DMARC policy for unauthenticated messages is triggered. So, this is how the full cycle of sending and receiving email messages looks like with the DMARC policy enabled.

The benefits of DMARC can hardly be overestimated. Thence, DMARC allows you to completely eliminate unwanted fraudulent traffic for the sender, delivering only authenticated messages to the recipient.

DMARC deployment

With a large number of mailings from a domain, there is a high probability that the rating of your domain and your letters will decrease to the point that all sent letters will end up in spam and won’t reach the recipients. In order to successfully pass sender authentication and spam verification, three domain TXT records must be configured: SPF / DKIM / DMARC. You can check the availability of all these types of records for your domain using EasyDMARC’s Domain Scanner.

DMARC Syntax and Tag Descriptions

All DMARC tags are divided into optional and required tags. Let’s start with the mandatory ones.

Required tags

Version (“v”): Must take the value DMARC1 (e.g v=DMARC1). Otherwise, the entry will be ignored.

Policy (“p”): Policy for receiving messages. Determines the policy for receiving messages for the domain and subdomains.

  • None (p=none): no action is required.
  • Quarantine (p=quarantine): the domain possessor asks that failed DMARC messages are considered suspicious. Thus the messages will end up in the spam folder, be flagged as dubious.
  • Reject (p=reject): owner is requesting that messages failed by DMARC verification be rejected. The rejection must be done during an SMTP transaction.


Optional tags

RUA Report Email Address (rua): Addresses for sending Aggregated reports, separated by commas. It is possible to specify mailto: links for sending reports by mail.

RUF Report Email Address (ruf): Addresses to submit Failure reports, separated by commas. Specifying this tag implies that the owner requires recipient servers to send detailed reports on every message that fails DMARC validation.

Percentage (pct): It specifies the number of emails to be filtered, indicated as a percentage. For example, “pct = 20” will filter 20% of emails.

Subdomain Policy (sp): This tag represents the requested handling policy for subdomains.

ADKIM Tag (adkim): DKIM record authentication check. It can take the value Relaxed “r”, or Strict “s”. The default is “r”.

  • In relaxed mode, if the DKIM record being verified belongs to the domain d=example.com, and the message is sent from [email protected], the verification will pass. 
  • In the strict mode, the check will be passed only if the sending comes from an address on the example.com domain. Subdomains will not pass validation.


ASPF Tag (aspf): SPF record authentication check. By analogy with adkim, it can be Relaxed “r”, or Strict “s”. The default is Relaxed “r”.

Failure Reporting Options

(fo): The FO tag pertains to how forensic reports are created and presented to DMARC users. 

  • fo=0: Generate a DMARC failure report if all underlying authentication mechanisms (SPF and DKIM) fail to produce an aligned “pass” result. (Default)
  • fo=1: Generate a DMARC failure report if any underlying authentication mechanism (SPF or DKIM) produced something other than an aligned “pass” result.
  • fo=d: Generate a DKIM failure report if the message had a signature that failed evaluation, regardless of its alignment.
  • fo=s: Generate an SPF failure report if the message failed SPF evaluation, regardless of its alignment.


Report Format (rf): Format for Failure reports. The default is “afrf”.

Report Interval (ri): The interval between sending aggregated reports (in seconds).

Now as you have a general understanding of DMARC tags, you can use our DMARC Record Generator tool to create and/or update your DMARC Record.


How to Prevent Data Breaches?

How to Prevent Data Breaches?

If you run a company that relies on the internet to operate you must...

Read More
Reputational Cost of a Data Breach

Reputational Cost of a Data Breach

When the internet was created, security wasn't the main focus in any corner of...

Read More
What Should a Company Do After a Data Breach?

What Should a Company Do After a Data Breach?

No company is 100% immune to data leaks. Cyberattackers are constantly improving their methods,...

Read More