What is “External Destination Verification”?
A domain’s DMARC record can tell the world to send DMARC reports to a different domain. For example, the domain
example.org might have a DMARC record of:
v=DMARC1; p=none; rua=mailto:firstname.lastname@example.org
This DMARC record tells people to send reports regarding
example.org to the email address of
email@example.com. Before reports are sent,
sample.net must tell the world that it is OK to send
example.org's reports to
sample.net. Otherwise, reports will not be sent to
Allowing “external” domains to accept DMARC reports is called “External Domain Verification.”
For those who like too much information, the DMARC RFC describes in detail how report generators determine if sample.net is allowed to receive reports related to example.org.
External Domain Verification is made possible when sample.net publishes a special TXT record at a specific location in the DNS. If example.org tells the world to send DMARC reports to the sample.net domain, people who are sending reports will look for a TXT record at this location:
…and expect the result to be:
In this way, the operator of
sample.net can explicitly tell the world that
example.org's reports can be sent to
dmarcian processes data for an enormous number of domains and automatically adds the External Domain Verification record as needed. This is how people can use dmarcian to process DMARC data by directly inserting a dmarcian reporting address into a DMARC record.
If you’re seeing warnings that your domain’s DMARC record is “Missing authorization for External Destination,” the fix is to either:
- update the DNS to which the reports need to be sent by adding ._report._dmarc in the Name field and v=DMARC1 in the Value field as seen below or
- remove the email address and only add the dmarcian reporting address in the DMARC record.
Feel free to contact us with any questions about the arcane topic of External Domain Verification.
We’re Here to Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.