What DNS record is required for DMARC reports to an external domain?

Key findings

• Authorization TXT Record: A DNS TXT record must be published on the domain that is designated to receive DMARC reports from an external domain. This record explicitly authorizes the receiving domain to collect this data.
• Purpose: The record's main function is to prevent abuse, specifically to avoid mailbombing unsuspecting email addresses with large volumes of DMARC reports.
• RFC 7489 Requirement: The DMARC specification, outlined in RFC 7489 Section 7.1, mandates this authorization for external reporting destinations.
• Internal vs. External: This record is only necessary when the DMARC report recipient email address (specified by rua or ruf tags) belongs to a domain different from the DMARC policy's organizational domain.
• Inconsistent Enforcement: While required, some mailbox providers might still send reports even without this record, leading to inconsistent report delivery if not properly configured.

Key considerations

• Configuration Location: The TXT record must be added to the DNS of the report-receiving domain, not the sending domain with the DMARC record.
• Format: The record typically follows the format <sending-domain>._report._dmarc.<receiving-domain> with a value of v=DMARC1;.
• Third-Party Services: If using a third-party DMARC reporting service, they typically provide instructions for this record or manage it on their end. Understanding the different types of DMARC services is important.
• Ensuring Full Reports: To ensure you receive comprehensive DMARC reports from all ISPs that send them, this authorization record should always be correctly implemented, even if initial reports are received without it.
• Best Practices: Adhering to DMARC best practices, including this authorization, is crucial for effective DMARC setup and robust email security.

Key opinions

• Initial Confusion: Many marketers are initially unsure if the DMARC report recipient email address needs to match the DMARC-configured domain, especially when they receive partial reports despite warnings.
• External Domain Requirement: There's a general understanding that if reports go to an external domain (e.g., a reporting service), a special DNS record on the receiving domain is needed.
• Verification Importance: Marketers recognize that this verification process is crucial for preventing unwanted mail or mailbombing of report recipient inboxes.
• Reliance on Service Providers: Many expect their outsourced DMARC services to handle this technical setup, illustrating a common division of labor.
• Internal Domain Exemption: It's understood that this external verification is not required if the rua address is within the same organizational domain as the DMARC record.

Key considerations

• DNS TXT Record Creation: Marketers need to ensure the correct TXT record, such as example.com._report._dmarc.abc.com with v=DMARC1;, is published on the external receiving domain.
• Comprehensive Reporting: Despite occasional report delivery without the record, full compliance is necessary to guarantee receipt of DMARC reports from all providers.
• DMARC Record Structure: Understanding the function of rua and ruf tags is fundamental for setting up report destinations in the DMARC record.
• Troubleshooting: When reports are missing, the first step should be to verify the presence and correctness of this authorization record on the receiving domain, as highlighted by DuoCircle's guide.

Key opinions

• Mandatory Authorization: The domain receiving DMARC reports must publish a TXT record to announce its readiness to receive reports for an external domain.
• Abuse Prevention: This record is crucial for preventing mailbombing or other abuses of the DMARC reporting mechanism.
• RFC Compliance: Experts direct to RFC 7489, which provides the precise instructions for setting up this authorization record in DNS.
• Report Delivery: While some providers might still send reports without it, compliance ensures consistent delivery from all DMARC-implementing mail servers.
• No DMARC Validation Impact: The authorization record does not affect DMARC authentication validation, but it does affect whether reports are sent.

Key considerations

• Third-Party vs. Self-Managed: If using a third-party reporting service, they typically manage this record. If self-hosting, the domain owner must publish it.
• DNS Record Specifics: The record needed is a TXT record for the report-receiving domain, following a specific subdomain structure (e.g., <sending-domain>._report._dmarc.<receiving-domain>). This is part of the overall DNS configuration for DMARC.
• Varying Strictness: Some DMARC validators might be hit or miss in checking this record, but adhering to the specification is always the best practice for reliability.
• Configuration Problem Indicator: Absence of this record can indicate a configuration problem, which may indirectly affect a domain's reputation with large mailbox providers.
• Impact on Deliverability: While it doesn't directly prevent email delivery, missing reports mean you lack critical data for improving your email deliverability rates and protecting your domain.

Key findings

• RFC 7489 Mandate: Section 7.1 of RFC 7489 explicitly specifies the requirement for a DNS TXT record to authorize the receipt of DMARC aggregate reports at external destinations.
• Anti-Abuse Mechanism: The primary rationale for this record is to prevent 'mailbombing' or unsolicited delivery of reports, thereby enhancing security and privacy.
• Explicit Authorization: The record serves as an explicit consent mechanism from the receiving domain to accept DMARC data from a specific sending domain.
• Suppression of Reports: Without this authorization, DMARC-compliant mail servers are obligated to suppress the generation and delivery of reports to the external destination.
• Internal Exception: The record is not needed if the report-receiving address is within the same organizational domain as the DMARC policy's `From:` domain, as implicit trust is assumed.

Key considerations

• TXT Record Format: The authorization record should be a TXT record located at a specific subdomain, such as <sending-domain>._report._dmarc.<receiving-domain>, with the value v=DMARC1;.
• DMARC.org Guidance: Resources like the DMARC.org FAQ offer practical advice and point back to the RFC for detailed instructions.
• Data Privacy: This explicit authorization mechanism ensures that sensitive DMARC data, which can reveal aspects of email infrastructure, is only delivered to authorized and consenting parties.
• Comprehensive Monitoring: For complete DMARC report coverage and effective monitoring of your domain's email health, adhering to this specific configuration is essential, as some ISPs strictly follow the standard. For more on DMARC reports, consult our resources.