A domain’s DMARC record can tell the world to send DMARC reports to a different domain. For example, the domain corporate.com might have a DMARC record of:
v=DMARC1; p=none; rua=mailto:reports@external.comThis DMARC record tells people to send reports regarding corporate.com to the email address of reports@external.com. But before reports are sent out, external.com must tell the world that it is OK to send corporate.com's reports to external.com. Otherwise, reports will not be sent to external.com.
Allowing “external” domains to accept DMARC reports is called “External Domain Verification”.
External Domain Verification is made possible when external.com publishes a special TXT record at a specific location in the DNS. If corporate.com tells the world to send DMARC reports to the external.com domain, people who are sending reports will look for a TXT record at this location:
corporate.com._report._dmarc.external.comand expect the result to be:
v=DMARC1In this way, the operator of external.com can explicitly tell the world that corporate.com's reports can be sent to external.com.
If you’re seeing warnings that your domain’s DMARC record is “Missing authorization for External Destination”, the fix is to either:
- Have the external destination domain publish the External Domain Verification record, or
- avoid this issue altogether by publishing your domains address directly into your DMARC record.
Feel free to contact us with any questions about the arcane topic of External Domain Verification.
