DMARC aggregate reports are sent via email to the address specified in the DMARC record's 'rua' tag, which we'll refer to in this article as the RUA address. A domain owner may set any RUA address they wish; this email address can be a mailbox within the same domain the DMARC record is published on, or it can be an address in another domain altogether.
Should the RUA address be outside the scope of your own domain, that email domain must provide authorization to allow DMARC reports from your domain. The DMARC specification (RFC7489) introduced a DNS-based authorization mechanism (Section 7.1), in order to prevent reporting abuses.
In Valimail we call this authorization mechanism, External Domain Verification, and this article will go over the requirements, general information as well as the steps to set it up.
Why is External Domain Verification required?
The RUA address is visible in the public DNS, so spammers can retrieve it and start sending unwanted messages to it. A DDoS attack is also a potential problem. If a bad actor adds the email address to their DMARC record, they can flood that mailbox with DMARC reports. In order to prevent these issues, the email domain of the RUA address should authorize 3rd party domains before it accepts DMARC reports for them.
How does the authorization mechanism work?
External Domain Verification uses a DNS-based authorization mechanism. Let's say for example that I own the domain
defendmy.email and that I need to send DMARC reports to the RUA address [email protected]. For vali.email to allow DMARC reports for defendmy.email, it will have to publish a TXT record in the DNS, which contains the following:
Host/Record Name | defendmy.email._report._dmarc.vali.email |
Value | v=DMARC1 |
After receiving an email from defendmy.email, an email service provider will look up this domain's DMARC record to find the RUA address [email protected]; before sending a DMARC report to this address, the email service provider should check if vali.email authorized defendmy.email by verifying if the record above is published in the DNS. If the DNS query returns a response containing "v=DMARC1" then the authorization is verified, and the email service provider can send the DMARC report.
When should I use External Domain Verification?
There are several instances where External Domain Verification proves to be extremely useful.
You own several domains, and you need to send DMARC reports from all of them to one particular RUA address that you own.
A domain that you own doesn't operate a mail server, therefore you will have to send DMARC reports to another domain.
What are the requirements for using External Domain Verification in Valimail?
The domain of the RUA address must be added in our Enforce product, and it will need to point its DMARC record to Valimail using the NameServer (NS) type record below.
Host/Record Name | _dmarc.YourDomain.com |
Record Type | NameServer (NS) |
Value | ns.vali.email |
External Domain Verification cannot be configured in Enforce, if the domain is pointing the DMARC record to Valimail, using a TXT or CNAME record.
How does External Domain Verification work in Enforce?
Use the Add External Reporting Domain option in Enforce, in order to add all the domains that you need to allow to send DMARC reports to your domain. For example, if I own the domain defendmy.email and I want to allow DMARC reports from customreports.net, I will add the latter to the External Reporting Domain section in Enforce. Once that step is completed, Valimail will automatically publish the record mentioned in the section How does the authorization mechanism work? which completes the authorization process.
How do I manage External Reporting Domains in Enforce?
Adding an External Reporting Domain:
1. Log into your Valimail account.
2. Click on DOMAINS.
3. Click on the domain that you wish to make this change for.
4. Click on + Add External Reporting Domain.
5. Write the external reporting domain in the From Domain Name field and then click on Add External Report.
Deleting an External Reporting Domain:
Go to the Domain configuration page (Step 3 above), and scroll down to the External Reporting Domain section. Next, click on the Delete button next to the domain that you want to remove.