how to setup a dns record to recevie report for dmarc report from other domains ?

Hello,

Yes, if you want to receive reports to another domain, then you should authorize the domain, i.e. verify the external destination per the instructions by your link.

It goes without saying, you should use real domain names according to your situation.
 
I expected the following to work:

DNS TXT for dmarcdomain.com
Code:
_dmarc    TXT    "v=DMARC1; p=none; sp=none; rua=mailto:[email protected]"

DNS TXT for reportdomain.com
Code:
dmarcdomain.com._report._dmarc.reportdomain.com    TXT    "v=DMARC1"
MXTools says:
"DMARC External Validation | External Domains in your DMARC are not giving permission for your reports to be sent to them."
It looks perfect according to everything I read hear and on the web. Apparently I don't understand how this works.

Thanks!

!!! EDIT: Solved !!!
This is how I fixed it! I stopped working on it, cleaned up and stored away the summer equipment and hoses, got the winter equipment out and running, ran the backup generator, cleaned and organized the garage, cleaned out and washed my SUV, filled it with gas, and when I returned and refreshed the screen, Walla!

Now MXTools says:
"DMARC External Validation | All external domains in your DMARC record are giving permission to send them DMARC reports."
I decided I'd better pass this along in case someone else runs into the same thing I did. Believe me, spending hours on all of that technical mumbo-jumbo DOESN'T work. Been there, done that.
 
Last edited:
From RFC-7489
Verifying External Destinations

It is possible to specify destinations for the different reports that are outside the authority of the Domain Owner making the request. This allows domains that do not operate mail servers to request reports and have them go someplace that is able to receive and process them. Without checks, this would allow a bad actor to publish a DMARC policy record that requests that reports be sent to a victim address, and then send a large volume of mail that will fail both DKIM and SPF checks to a wide variety of destinations; the victim will in turn be flooded with unwanted reports. Therefore, a verification mechanism is included.

For example: If your domain is dmarcdomain.com and you want to send your reports to reportdomain.com, then the recipient domain needs to add TXT DNS record
Code:
dmarcdomain.com._report._dmarc.reportdomain.com.    TXT    "v=DMARC1"

In the majority of cases the recipient domain will create a wild card record, which essentially means the domain is willing to receive DMARC reports for ANY domain. A wildcard record would look like this:
Code:
*._report._dmarc.reportdomain.com.    TXT    "v=DMARC1"
[/CODE]
 
Last edited:
I know this thread is a little old, but hoping somebody gets a notification.

I'm trying to accomplish the above where I have all of the reports go to one single domain.

I have a record in one of the domains to tell the reports to go to another domain -->
type: TXT
name: _dmarc
value: v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; sp=none; fo=0

This is the part where I am unclear. I have a record in the RECEIVINGDOMAIN.com where I want to receive the reports

I have this which is the same as the other domain, so that I have a DMARC for this RECEIVINGDOMAN
type: TXT
name: _dmarc
value: v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; sp=none; fo=0

Now I know I need more information on the RECEIVINGDOMAN to authorize it to receive reports for the other domains
OTHERDOMAIN.com._report._dmarc.RECEIVINGDOMAIN.com.

The question is, how do I do that?

Do I add it to the value above? Or do I create another value?

The way I read it, it looks like I add another value
type: TXT
name: OTHERDOMAIN.com._report._dmarc.RECEIVINGDOMAIN.com.
value: v=DMARC1

It does not seem to work, and I don't think that's right.

Can anybody clarify?

Thanks
 
Last edited:
It's just a TXT record. You adjust the existing (if present) Dmarc record to your needs.
This is how I did it and it works perfectly:
Code:
v=DMARC1; p=none; rua=mailto:[email protected], mailto:[email protected]; ruf=mailto:[email protected]; sp=none;
As you can see you can name it as you want and send to the email address(es) you want, as long as you have the ruf and rua tags correctly.
I think I had DA create my Dmarc record and then added what was needed. But if not... it's just a TXT record.
 
I thought I had solved it but it was DNS update delay, so now I'm not sure which version works.

I have the right code for the domain as you did above, BUT when I want the RUA and RUF to go to a different domain, I have to add a record to the receiving domain to allow it to accept for other domains, that's where I came unstuck
 
It looks like I have fixed it, by adding an additional record to the receiving domain
Type: TXT
Name: *._report._dmarc
Value: v=DMARC1

I had previously tried this, but noticed that when I went back to edit it that godaddy had truncated some of the name
Type: TXT
Name: *._report._dmarc.RECEIVING DOMAIN
Value: v=DMARC1

I've since changed to this so that I can send from the one domain rather than a wildcard which concerned me as to how much unrelated email I may receive. I presume I'll just add an addition replicated record for each domain I want to send to the RECEIVINGDOMAIN
Type: TXT
Name: ORIGINALDOMAIN._report._dmarc
Value: v=DMARC1
 
It was just understanding the correct format for name and value, which way around they went. There was mixed info on having the RECEIVINGDOMAIN at the end of the name, but the above appears to do the trick.
 
I receive the reports of many domains. I set it up the follow way:

all domains get the default dmarc txt record with mailadres dmarc-reports@<domain>.
Then i create an forward from dmarc-reports@<domain> to the receiving mail box.

These to steps can be automated within directadmin (scripts/custom)
 
Back
Top