Summary
To successfully receive DMARC reports at a domain different from the sending domain, the receiving domain must explicitly authorize the report collection. This is achieved by publishing a specific TXT record in its DNS settings, confirming its willingness to accept DMARC reports on behalf of the sending domain. This authorization prevents potential mailbombing, secures against unauthorized server use, and involves no extra setup if the DMARC report recipient is within the same organizational domain as the sender.
Key findings
- TXT Record Authorization Essential: A TXT record on the receiving domain is mandatory to authorize DMARC report collection from a different sending domain.
- Preventing Mailbombing: This TXT record also functions as a preventative measure against potential mailbombing attempts.
- Same-Domain Exemption: If the DMARC report recipient resides within the same organizational domain as the sender, the additional TXT record is unnecessary.
- TXT Record DNS Setting: example.com._report._dmarc.abc.com which has the value v=DMARC1
Key considerations
- Ensure Accurate TXT Setup: Verify that the TXT record is correctly formatted and implemented within the DNS settings of the receiving domain.
- Organizational Domain Check: Confirm whether the report recipient is within the same organizational domain before proceeding with external authorization processes.
- Security Importance: Following DMARC guidelines and correctly setting up report authorizations is critical for enhancing email security and preventing potential abuse.
- Outsourced Service Consideration: Be aware if using outsourced services, they will handle setup; otherwise, you must publish a DNS record
What email marketers say
9 marketer opinions
To receive DMARC reports at a domain different from the sending domain, the receiving domain must explicitly authorize the report collection by publishing a specific TXT record in its DNS settings. This record verifies the receiving domain's consent to accept DMARC reports on behalf of the sending domain. The TXT record authorises the sending of reports to it.
Key opinions
- TXT Record Requirement: A specific TXT record needs to be created on the receiving domain's DNS to authorize DMARC report collection from the sending domain.
- Authorization Purpose: This TXT record acts as an authorization, ensuring the receiving domain is willing to accept DMARC reports for a particular sending domain.
- External Domain Reporting: When DMARC reports are sent to a domain different from the originating domain, explicit authorization via a DNS TXT record is mandatory.
Key considerations
- Record Format: Ensure the TXT record on the receiving domain follows the correct format to properly authorize the sending domain for DMARC reporting.
- Domain Ownership: Verify you have control over the DNS settings of both the sending and receiving domains to implement this authorization correctly.
- Security Implications: Implementing this authorization helps prevent unauthorized entities from collecting DMARC reports, enhancing email security.
Marketer view
Email marketer from AuthSMTP explains If your DMARC record is set to send reports to a different domain (i.e. not your own), the destination domain has to specifically allow that reporting. This is done by setting up a specific record in their DNS settings.
5 Feb 2024 - AuthSMTP
Marketer view
Email marketer from URIports shares If you would like to receive aggregate reports at a different domain than your authentication domain, then you must authorize that domain for receiving your reports. This is achieved by publishing a TXT record to the DNS record of the reporting domain.
12 Oct 2021 - URIports
What the experts say
6 expert opinions
When sending DMARC reports to an external domain (a domain different from the sending domain), a TXT record must be created on the receiving domain to authorize the report collection. This announcement prevents potential mailbombing and verifies that the receiving domain consents to accept DMARC reports on behalf of the sending domain. No additional TXT record is needed if the recipient address for DMARC reports is within the same organizational domain as the DMARC record. This TXT record announcement does not affect DMARC validation. The requirement for a report address (rua) to be declared aims to prevent malicious use of the reporting mechanism.
Key opinions
- TXT Record Authorization: A TXT record on the receiving domain is essential for authorizing DMARC report collection from a different sending domain.
- Mailbombing Prevention: The TXT record acts as a preventative measure against potential mailbombing attempts.
- Same Domain Exception: If the DMARC report recipient is in the same domain as the sending domain, the extra TXT record is not required.
- Report Address (rua) Prevention: The report address (rua) prevents malicious use of the reporting mechanism.
Key considerations
- Correct TXT Record Setup: Ensure the TXT record is correctly formatted and implemented on the receiving domain's DNS settings.
- Organizational Domain: Confirm whether the report recipient is within the same organizational domain before proceeding with external authorization.
- DMARC Validation Impact: Understand that checking for external domain authorization doesn't directly impact DMARC validation.
- Security Best Practices: Following DMARC guidelines is crucial for improving security and preventing email abuse.
Expert view
Expert from Email Geeks shares that the rua requirement is mainly there to prevent the use of rua records to mailbomb unwilling recipients, whether intentionally or otherwise.
22 Oct 2024 - Email Geeks
Expert view
Expert from Email Geeks explains that the domain receiving DMARC reports needs to announce it's prepared to receive reports about your domain to prevent mailbombing. If using an outsourced service, they'll handle setup; otherwise, you must publish a DNS record.
12 Oct 2022 - Email Geeks
What the documentation says
4 technical articles
To receive DMARC reports at a domain other than the sending domain, the reporting domain must authorize the sending domain by publishing a specific DNS TXT record. This record confirms that the reporting domain is willing to receive reports on behalf of the sending domain and prevents unauthorized use of an organization's servers.
Key findings
- Authorization Requirement: A specific DNS record must be published by the reporting domain to authorize the sending domain to send DMARC reports.
- TXT Record Type: The required DNS record is a TXT record.
- Prevention of Unauthorized Use: This authorization mechanism prevents unauthorized use of an organization's servers for DMARC reporting.
Key considerations
- Record Syntax: Ensure the correct syntax and format of the TXT record are used when configuring the authorization.
- DNS Zone Management: Proper management of the DNS zone is crucial for implementing and maintaining the required TXT record.
- External Reporting Setup: When configuring DMARC to send reports to an external domain, always ensure the authorization record is in place.
Technical article
Documentation from Proofpoint explains that when configuring DMARC to send reports to an external domain, the external domain has to explicitly authorise this reporting by publishing a TXT record in its DNS zone.
29 Apr 2025 - Proofpoint
Technical article
Documentation from datatracker.ietf.org shares that if the domain listed in the DMARC record's `ruf` or `rua` tag is different from the domain sending the email, a DNS record must be published at the reporting domain to authorize the collection of reports.
12 Dec 2023 - datatracker.ietf.org
Are DMARC RUA and RUF tags mandatory for compliance and what are their benefits?
Are there GDPR concerns related to IP addresses in DMARC reporting?
Can DMARC reports be sent without RUA or RUF addresses?
How can DMARC reports be enriched with user-level data for better domain enforcement?
How do you analyze DMARC reports using report-uri.com?
How to set up DMARC reports and what are the best practices?
