Yes, you absolutely can, and it's a very common practice. The rua tag in a DMARC record stands for 'Reporting URI for Aggregate data'. It tells email receivers where to send the daily XML reports that summarize email traffic for your domain. Sending these reports to a different, dedicated domain is often the most efficient way to handle them.
Most organizations use a DMARC reporting service to parse and visualize these complex XML reports. These services provide you with a unique email address on their domain to use in your rua tag. This allows the service to collect the reports on your behalf. Alternatively, you might want to centralize DMARC reports from multiple domains you own into a single, separate domain for easier management.
How it works: external domain verification
You can't just point your DMARC reports to any domain you want without its permission. This would create a security risk, as a bad actor could use it to flood an unsuspecting address with DMARC reports. To prevent this, the DMARC standard includes a mechanism called external domain verification.
This process requires the owner of the external (receiving) domain to publish a special DNS record. This record essentially says, "I give permission to receive DMARC reports for this other domain." This confirms to report-sending servers like Google and Microsoft that the arrangement is consensual.
Setting up permission on the receiving domain
To authorize an external domain to receive your DMARC reports, a specific TXT record must be added to the DNS of the receiving domain. Let's say your sending domain is mybusiness.com and you want to send reports to reports@dmarcanalytics.com.
- You would add a DNS record to the dmarcanalytics.com domain, not mybusiness.com.
- The DNS record's Host or Name would be: mybusiness.com._report._dmarc.dmarcanalytics.com
- The record Type must be TXT.
- The Value must be: v=DMARC1;
Without this record, DMARC report generators will check for permission, find none, and simply not send the report. This can be confusing, and many DMARC checking tools will flag it as an error.
Configuring your DMARC record's 'rua' tag
Once the permission record is correctly set up on the receiving domain, you can confidently add the external address to your own domain's DMARC record. The record for mybusiness.com would be a TXT record at _dmarc.mybusiness.com and look something like this:
v=DMARC1; p=none; rua=mailto:reports@dmarcanalytics.com;
You can also specify multiple reporting addresses by separating them with a comma. Just remember that if any of those addresses are on external domains, each external domain must have the appropriate permission record set up.
Final thoughts
To summarize, sending DMARC rua reports to an address on a different domain is not just possible, it's standard practice for effective DMARC management. The critical step is ensuring the receiving domain grants permission via a specific DNS record. This external domain verification mechanism is a key security feature of the DMARC protocol, ensuring that report data is sent only where it's welcome.
What DMARC tag specifies forensic reports?
What does the 'ruf' DMARC tag stand for?
Does a DMARC 'rua' URI require 'mailto:' prefix?
Can multiple 'rua' URIs be specified in a DMARC record?
Does DMARC 'relaxed' alignment match a subdomain to the organizational domain?
Does DMARC policy apply to the header 'From' address?
