A domain’s DMARC record can tell the world to send DMARC reports to a different domain. For example, the domain
corporate.com might have a DMARC record of:
v=DMARC1; p=none; rua=mailto:firstname.lastname@example.org
This DMARC record tells people to send reports regarding
corporate.com to the email address of
email@example.com. But before reports are sent out,
external.com must tell the world that it is OK to send
corporate.com's reports to
external.com. Otherwise, reports will not be sent to
Allowing “external” domains to accept DMARC reports is called “External Domain Verification”.
External Domain Verification is made possible when external.com publishes a special TXT record at a specific location in the DNS. If corporate.com tells the world to send DMARC reports to the external.com domain, people who are sending reports will look for a TXT record at this location:
and expect the result to be:
In this way, the operator of
external.com can explicitly tell the world that
corporate.com's reports can be sent to
If you’re seeing warnings that your domain’s DMARC record is “Missing authorization for External Destination”, the fix is to either:
- Have the external destination domain publish the External Domain Verification record, or
- avoid this issue altogether by publishing your domains address directly into your DMARC record.
Feel free to contact us with any questions about the arcane topic of External Domain Verification.