How do you receive DMARC reports on external email addresses?
While most domain owners prefer receiving DMARC aggregate and forensic reports on internal email addresses, some want to have them in external inboxes. Internal email addresses refer to those belonging to the same domain for which the DMARC record is created. For example, if your organization’s domain is example.com, then an internal domain email address would be something like employee@example.com. On the other hand, external email addresses are the ones not belonging to that domain. For example, department@otherdomain.com.
Some parties opt to receive reports on a separate dedicated domain so that their primary inboxes are not flooded with frequent reporting emails.
To receive reports on external email addresses, a small verification process is required. Let’s see how that’s done.
Understanding the external domain verification process
To receive reports on an external email address, consent is required to verify the agreement. This also ensures threat actors don’t get the chance to divert the failure reports to an email account in their control; otherwise, they can send unauthorized and unsolicited phishing emails from your domain, and you won’t even be notified through aggregate and forensic reports.
The process begins when the recipient’s server receives an email from your domain and checks if the email address entered next to the rua and ruf tags is the same as the sender’s domain. If they differ, it searches if verified consent has been given to send the failure reports to the external email address. The verification is done by sending DNS queries to the external domain.
Servers will send DMARC reports if the setup is correct. If not, the reports are not sent until the email addresses in the DMARC record are updated. This helps ensure that only authorized users receive reports, especially those that include sensitive information.
Implementing DuoCircle can enhance your management of these reports, making the process smoother and more efficient.
If you encounter a temporary DNS timeout or similar issues, don’t worry—they usually resolve themselves. However, if the problem persists, it’s best to consult a technical expert.
If the external domain verification process fails to obtain consent from a trusted external domain, you can resolve this by publishing a TXT record in that domain’s DNS. This will confirm consent on behalf of the external email address.
Wildcard Method
This is an alternative method to the external verification process, which is mostly used when a response from an unauthorized external email address is not received. A wildcard record handles DNS requests for subdomains that have yet to be specifically designed. It’s created by placing an asterisk or ‘*’ at the beginning of a domain name, allowing all subdomains to share the same content through a single DNS entry.
But we don’t encourage the use of this method as it tends to impact your website’s SEO performance. Also, there isn’t a mechanism to filter reports, which allows bad actors to send spam emails.
No matter where you choose to receive the reports, ensure you make the best use of them. They give you valuable insights into how your email domain is being used (or rather exploited).