blog

Without extra measures, the reporting functionality in dmarc for aggregate|forensic reports is limited to sending mail to the same domain that the dmarc record describes. Sometimes however, for example in case of a null client – which only sends but never receives mail – it's desirable to have the reports send elsewhere.

Considering the following example DNS record for domain example.com:

_dmarc.example.com.    300    IN    TXT \
 "v=DMARC1;p=quarantine;pct=100;adkim=s;" \
 "rua=mailto:dmarc-reports@example.com;" \
 "ruf=mailto:dmarc-forensic@example.com"

This record will have dmarc reports being sent to dmarc-reports@example.com and dmarc-forensic@example.com. In case they should be sent to other domains, the target domains will have to explicitely authorize the sending domain.

Sticking to the example above: In case reports for example.com should be sent to dmarc-report@example.org, an entry like the following one has to exist in the DNS for example.org:

example.com._report._dmarc.example.org. \
 300 IN TXT "v=DMARC1"

For testing, mxtoolbox.com has a dmarc check which also verifies whether the receiving domain has authorized the sending domain.