The rua and ruf tags in a DMARC record allow domain owners to specify email addresses where they want to receive DMARC aggregate and forensic reports. You can choose to receive both types of DMARC reports on the same email address or different ones.
Generally, these email addresses belong to the same custom domain for which the DMARC record is created. However, you can choose to receive them at an email address outside of the domain’s capacity. This requires the external domain to verify that its owner has no problem in receiving these reports. In most cases, the owner of the domain and the external email address are the same. Let’s understand this concept in detail.
What is External Domain Verification?
External domain verification is a DMARC reporting feature that allows domain owners to receive DMARC aggregate and forensic reports on mail servers outside the domain’s inclusions. Generally, businesses with several domains and subdomains, intricate email infrastructure, and third-party service providers practice it.
Some parties deliberately create a separate domain to accept such reports so that their primary inboxes aren’t overloaded with frequent failure reports. This sorts out operations at different levels.
Image sourced from slideshare.net
What is the Process of External Domain Verification?
Since you want to receive DMARC reports on an email address belonging to a different domain, you will have to give consent, and this agreement is also verified. External domain verification is important to ensure hackers don’t misuse this feature to de-route failure reports from reaching the inboxes of the person or team in charge of DMARC.
The process starts when the receiving server checks if the email addresses entered next to the rua and ruf tags have the same domain name as that of the sender. If these are different, the recipient’s server verifies the consent of the external domain.
The verification is done by sending DNS queries to the external domain.
Servers start sending DMARC reports if the response is positive. However, if there is no affirmation, no reports are sent to any internal or external domains until email addresses are redefined in the DMARC record.
This security exercise ensures that only authorized and trusted users access DMARC reports, which may contain sensitive details.
In case you encounter a temporary DNS timeout error or similar issues, then you don’t have to take any action. Things would get sorted on their own. However, consider getting in touch with technical experts if issues persist.
How to Solve the External Verification Failure?
If the external domain verification process has failed to get consent from a trusted and authorized external domain, then fix this by publishing a TXT record in the external domain’s DNS. This will help confirm the consent or affirmation on behalf of the email address outside of your domain’s capacity.
Wildcard Method
Wildcard method is an alternative to the external domain verification process that can be used if there’s a failure in getting a positive response from an authorized email address outside of the domain. A wildcard record responds to DNS requests for subdomains that aren’t defined yet.
A wildcard DNS record is defined using an asterisk or ‘*’ symbol at the leftmost part of a domain name and allows all subdomains to share the same web content with a single DNS entry.
However, this alternative to the external domain verification method is not recommended due to two reasons:
- It impacts the SEO ranking of your website.
- As of now, there is no mechanism to filter reports, which encourages cybercriminals to send spam emails.
Wrapping It Up
Businesses that experience too many false positives for outgoing emails often create a separate account for receiving DMARC aggregate and forensic reports; otherwise, their inboxes would get flooded with failure reports, making it challenging to manage other emails.
So, if you wish to dedicate an external domain’s email account for the delivery and management of DMARC reports then external domain verification method is required to ensure robust email security.