Missing DMARC reports? You might be missing a DNS record.

As people are moving beyond Sender Policy Framework (SPF) records to using Domain Keys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC), there is a special “trick” that may escape you when setting up the DNS records the first time.

Say for example you have 3 domains:

domain1.com

domain2.com

domain3.com

You work with your various vendors and come up with the necessary TXT records to handle the SPF & DKIM records – that all appears to be fine.

You setup a DMARC TXT record that looks like this for all of the domains:

_dmarc.domain1.com

v=DMARC1; p=none; rua=mailto:john@domain1.com; ruf=mailto:john@domain1.com

_dmarc.domain2.com

v=DMARC1; p=none; rua=mailto:john@domain1.com; ruf=mailto:john@domain1.com

_dmarc.domain3.com

v=DMARC1; p=none; rua=mailto:john@domain1.com; ruf=mailto:john@domain1.com

You start getting the daily reports regarding emails sent from domain1.com.  But you’re not getting any emails regarding domain2.com or domain3.com.  Why is that?  It is because you didn’t specify that domain1.com is ok with receiving emails for domain2.com or domain3.com.  As a result, the notifications are not authorized to be sent to domain1.

What can be done to resolve this issue?

The first option would be to have domain2.com reference an email address in its own domain, such as

_dmarc.domain2.com

v=DMARC1; p=none; rua=mailto:john@domain2.com; ruf=mailto:john@domain2.com

That way, it’ll be authorized to receive those mails.  And if the email is an alias on the same mailbox, they still all land in the expected home.

However, you may want to simply use one email address for everything.  To do that, you need to add another TXT record.

domain2.com._report._dmarc.domain1.com

v=DMARC1

This puts a record in domain1.com that says it will accept DMARC reports for domain2.com

Putting it all together, if you wanted to use 1 email address for all 3 domains, you’d have the following:

_dmarc.domain1.com

v=DMARC1; p=none; rua=mailto:john@domain1.com; ruf=mailto:john@domain1.com

_dmarc.domain2.com

v=DMARC1; p=none; rua=mailto:john@domain1.com; ruf=mailto:john@domain1.com

_dmarc.domain3.com

v=DMARC1; p=none; rua=mailto:john@domain1.com; ruf=mailto:john@domain1.com

domain2.com._report._dmarc.domain1.com

v=DMARC1

domain3.com._report._dmarc.domain1.com

v=DMARC1

Problem solved!

If you need any additional help in protecting your email identity or any other mail related concerns, email info@peters.com. We are happy to help.

By | 2018-10-03T11:55:07+00:00 September 26th, 2018|IT Infrastructure Services|0 Comments

About the Author:

Leave A Comment