What DNS record is required for DMARC reports to an external domain?

Summary

To successfully receive DMARC reports at a domain different from the sending domain, the receiving domain must explicitly authorize the report collection. This is achieved by publishing a specific TXT record in its DNS settings, confirming its willingness to accept DMARC reports on behalf of the sending domain. This authorization prevents potential mailbombing, secures against unauthorized server use, and involves no extra setup if the DMARC report recipient is within the same organizational domain as the sender.

Key findings

  • TXT Record Authorization Essential: A TXT record on the receiving domain is mandatory to authorize DMARC report collection from a different sending domain.
  • Preventing Mailbombing: This TXT record also functions as a preventative measure against potential mailbombing attempts.
  • Same-Domain Exemption: If the DMARC report recipient resides within the same organizational domain as the sender, the additional TXT record is unnecessary.
  • TXT Record DNS Setting: example.com._report._dmarc.abc.com which has the value v=DMARC1

Key considerations

  • Ensure Accurate TXT Setup: Verify that the TXT record is correctly formatted and implemented within the DNS settings of the receiving domain.
  • Organizational Domain Check: Confirm whether the report recipient is within the same organizational domain before proceeding with external authorization processes.
  • Security Importance: Following DMARC guidelines and correctly setting up report authorizations is critical for enhancing email security and preventing potential abuse.
  • Outsourced Service Consideration: Be aware if using outsourced services, they will handle setup; otherwise, you must publish a DNS record

What email marketers say
9Marketer opinions

To receive DMARC reports at a domain different from the sending domain, the receiving domain must explicitly authorize the report collection by publishing a specific TXT record in its DNS settings. This record verifies the receiving domain's consent to accept DMARC reports on behalf of the sending domain. The TXT record authorises the sending of reports to it.

Key opinions

  • TXT Record Requirement: A specific TXT record needs to be created on the receiving domain's DNS to authorize DMARC report collection from the sending domain.
  • Authorization Purpose: This TXT record acts as an authorization, ensuring the receiving domain is willing to accept DMARC reports for a particular sending domain.
  • External Domain Reporting: When DMARC reports are sent to a domain different from the originating domain, explicit authorization via a DNS TXT record is mandatory.

Key considerations

  • Record Format: Ensure the TXT record on the receiving domain follows the correct format to properly authorize the sending domain for DMARC reporting.
  • Domain Ownership: Verify you have control over the DNS settings of both the sending and receiving domains to implement this authorization correctly.
  • Security Implications: Implementing this authorization helps prevent unauthorized entities from collecting DMARC reports, enhancing email security.
Marketer view

Email marketer from AuthSMTP explains If your DMARC record is set to send reports to a different domain (i.e. not your own), the destination domain has to specifically allow that reporting. This is done by setting up a specific record in their DNS settings.

September 2022 - AuthSMTP
Marketer view

Email marketer from URIports shares If you would like to receive aggregate reports at a different domain than your authentication domain, then you must authorize that domain for receiving your reports. This is achieved by publishing a TXT record to the DNS record of the reporting domain.

January 2022 - URIports
Marketer view

Email marketer from Valimail shares when DMARC aggregate reports are sent to a domain other than the originating domain, the receiving domain must explicitly authorize the collection of these reports through a DNS TXT record.

April 2021 - Valimail
Marketer view

Email marketer from Stack Overflow explains a DNS TXT record needs to be added to the domain that will receive the DMARC reports, to authorise receiving from the sending domain. This record confirms that the receiving domain is willing to accept DMARC reports on behalf of the sending domain.

May 2024 - Stack Overflow
Marketer view

Email marketer from MXToolbox shares if the domain which is receiving the DMARC reports (via the rua/ruf tag) is a separate domain to the domain which is using DMARC, then that receiving domain needs to publish a DNS record which authorises the sending of reports to it.

December 2022 - MXToolbox
Marketer view

Email marketer from EasyDMARC explains that if you want to receive DMARC reports from other domains, they need to authorize you to receive those reports. This is done by placing a specific TXT record in your DNS zone.

March 2023 - EasyDMARC
Marketer view

Email marketer from Reddit responds for DMARC reports to be successfully sent to an external domain, the receiving domain must authorize the sending domain via a DNS TXT record.

September 2024 - Reddit
Marketer view

Email marketer from Email Geeks explains there must be a DNS TXT record present in the abc.com as shown below: example.com._report._dmarc.abc.com which has the value v=DMARC1

January 2022 - Email Geeks
Marketer view

Email marketer from Postmark explains if you're sending DMARC reports to a domain different from your sending domain, you need a special DNS record set up on the reporting domain to authorize this.

June 2023 - Postmark

What the experts say
6Expert opinions

When sending DMARC reports to an external domain (a domain different from the sending domain), a TXT record must be created on the receiving domain to authorize the report collection. This announcement prevents potential mailbombing and verifies that the receiving domain consents to accept DMARC reports on behalf of the sending domain. No additional TXT record is needed if the recipient address for DMARC reports is within the same organizational domain as the DMARC record. This TXT record announcement does not affect DMARC validation. The requirement for a report address (rua) to be declared aims to prevent malicious use of the reporting mechanism.

Key opinions

  • TXT Record Authorization: A TXT record on the receiving domain is essential for authorizing DMARC report collection from a different sending domain.
  • Mailbombing Prevention: The TXT record acts as a preventative measure against potential mailbombing attempts.
  • Same Domain Exception: If the DMARC report recipient is in the same domain as the sending domain, the extra TXT record is not required.
  • Report Address (rua) Prevention: The report address (rua) prevents malicious use of the reporting mechanism.

Key considerations

  • Correct TXT Record Setup: Ensure the TXT record is correctly formatted and implemented on the receiving domain's DNS settings.
  • Organizational Domain: Confirm whether the report recipient is within the same organizational domain before proceeding with external authorization.
  • DMARC Validation Impact: Understand that checking for external domain authorization doesn't directly impact DMARC validation.
  • Security Best Practices: Following DMARC guidelines is crucial for improving security and preventing email abuse.
Expert view

Expert from Email Geeks shares that the rua requirement is mainly there to prevent the use of rua records to mailbomb unwilling recipients, whether intentionally or otherwise.

December 2024 - Email Geeks
Expert view

Expert from Email Geeks explains that the domain receiving DMARC reports needs to announce it's prepared to receive reports about your domain to prevent mailbombing. If using an outsourced service, they'll handle setup; otherwise, you must publish a DNS record.

September 2023 - Email Geeks
Expert view

Expert from Word to the Wise explains that if you are sending your DMARC reports to a domain other than your own, you will need to create a TXT record to authorize the other domain. The TXT record specifies that the receiving domain is authorized to receive DMARC reports for the sending domain.

July 2021 - Word to the Wise
Expert view

Expert from Email Geeks shares if the recipient address for DMARC reports is in the same organizational domain as the DMARC record, you don't need the extra TXT record.

March 2021 - Email Geeks
Expert view

Expert from Email Geeks explains DMARC validators shouldn’t be affected by checking if the receiving domain has announced it is prepared to receive reports.

July 2024 - Email Geeks
Expert view

Expert from Email Geeks answers you need to publish a TXT record for the domain receiving reports, indicating it's prepared to receive DMARC reports for the other domain, as described in the RFCs.

December 2024 - Email Geeks

What the documentation says
4Technical articles

To receive DMARC reports at a domain other than the sending domain, the reporting domain must authorize the sending domain by publishing a specific DNS TXT record. This record confirms that the reporting domain is willing to receive reports on behalf of the sending domain and prevents unauthorized use of an organization's servers.

Key findings

  • Authorization Requirement: A specific DNS record must be published by the reporting domain to authorize the sending domain to send DMARC reports.
  • TXT Record Type: The required DNS record is a TXT record.
  • Prevention of Unauthorized Use: This authorization mechanism prevents unauthorized use of an organization's servers for DMARC reporting.

Key considerations

  • Record Syntax: Ensure the correct syntax and format of the TXT record are used when configuring the authorization.
  • DNS Zone Management: Proper management of the DNS zone is crucial for implementing and maintaining the required TXT record.
  • External Reporting Setup: When configuring DMARC to send reports to an external domain, always ensure the authorization record is in place.
Technical article

Documentation from Proofpoint explains that when configuring DMARC to send reports to an external domain, the external domain has to explicitly authorise this reporting by publishing a TXT record in its DNS zone.

March 2021 - Proofpoint
Technical article

Documentation from datatracker.ietf.org shares that if the domain listed in the DMARC record's `ruf` or `rua` tag is different from the domain sending the email, a DNS record must be published at the reporting domain to authorize the collection of reports.

June 2023 - datatracker.ietf.org
Technical article

Documentation from dmarc.org explains that to receive DMARC reports at a domain other than the one sending the email, the reporting domain must authorize the sending domain by publishing a specific DNS record. This record confirms that the reporting domain is willing to receive reports on behalf of the sending domain.

April 2022 - dmarc.org
Technical article

Documentation from Red Sift shares that to use an external domain to collect DMARC reports, that external domain must have a specific TXT record in its DNS settings that authorizes the other domain to send DMARC reports to it. This prevents unauthorized use of an organization's servers.

June 2022 - Red Sift