Can multiple 'rua' URIs be specified in a DMARC record?

Yes, you absolutely can. The DMARC specification is designed to allow domain owners to send their aggregate reports to multiple destinations. This is a common practice, especially for organizations that use a DMARC monitoring service while also wanting to receive the raw reports at an internal mailbox.

The rua tag, which stands for "Reporting URI for Aggregate data", is a crucial part of a DMARC record. It tells receiving mail servers where to send the daily XML reports that summarize email traffic for your domain. These reports are the foundation of DMARC monitoring, providing visibility into who is sending email on your behalf.

Suped DMARC monitor

Free forever, no credit card required

Get started for free

Trusted by teams securing millions of inboxes

To specify multiple destinations for your aggregate reports, you list them within a single rua tag. The different URIs are separated by a comma. It is critical that each individual URI begins with the mailto: prefix.

Search Security says:

Visit website

According to TechTarget, while at least one URI is required for the tag to function, it can contain a comma-separated list of multiple URIs.

Here is an example of a DMARC record with a single rua address:

v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com;

And here is how you would format it to send reports to two different addresses:

v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com,mailto:dmarc@third-party-service.com;

While you can specify multiple URIs, it's wise to be mindful of a few things to ensure your reports are delivered reliably.

GCA Community says:

Visit website

The Global Cyber Alliance community recommends limiting the number of email addresses in the rua tag. They suggest that using more than 3-5 addresses could potentially lead to report delivery issues.

• Keep the list concise. While there isn't a strict technical limit defined in the RFC, some mail servers may truncate or incorrectly parse very long DNS records. Sticking to a handful of reporting addresses is a good rule of thumb.
• External domain verification. If you send reports to an address at a different domain (e.g., your DMARC record is for example.com but the rua points to third-party.com), the owner of that external domain must authorize receiving your reports. This is a security measure to prevent DMARC from being used to send spam. This authorization is done by publishing a special DNS record at the receiving domain.
• Ensure correct syntax. A common mistake is forgetting the mailto: prefix on subsequent URIs or trying to add multiple rua tags. The entire list must be under a single, comma-separated rua tag.

In conclusion, DMARC fully supports sending aggregate reports to multiple addresses. This functionality is powerful for managing your email security posture across different tools and teams. By formatting your rua tag correctly as a single, comma-separated list and adhering to best practices, you can ensure your DMARC data gets everywhere it needs to go.