How do i receive DMARC reports with external domains that i have no permission to control

ShenLin

1/10/24, 7:08 AM

I want to receive reports with gmail or outlook or anything else that i have no permission to add (mydomain.com)._report._dmarc.(gmail|outlook).com as a record. What i can do? Example just like:

v=DMARC1; p=quarantine; rua=mailto:[email protected]; [email protected]; fo=1; aspf=s;

Then i as it must be have no permission to add an txt record for gmail.com.

PS: I know i can just set my record as this without really set for gmail.com, then google will continue reports dmarc, without any issue, but mxtoolbox always reporting with DMARC External Validation Error, it must be against the RFC. So i am asking this.

210

1 + 1

domain-name-system

spf

dkim

dmarc

Reinto

1/10/24, 11:40 AM

It is the sender of the reports that will be in violation of the RFC when it sends to recipients in the `rua` or `ruf` tag, without verifying if indeed the receiving domain allows reports on behalf of the domain being reported on.

Score:3

Server

Esa Jokinen

1/10/24, 8:40 AM

You cannot, as explained in RFC 7489, 7.1:

Without checks, this would allow a bad actor to publish a DMARC policy record that requests that reports be sent to a victim address, and then send a large volume of mail that will fail both DKIM and SPF checks to a wide variety of destinations; the victim will in turn be flooded with unwanted reports. Therefore, a verification mechanism is included.

You could request the reports to an email address within the same domain or another domain you can control. Then, you could forward the reports to Gmail, acknowledging that the forwarded mail might not pass DMARC without a DKIM signature.

+ 1

Reinto

1/10/24, 11:44 AM

Unforutnately, not many reporting servers check for this permission. Also, the RFC is using vague terms like 'are to be' and 'is enacted', instead of using the proper terminoligy as describedi n the KEYWORDS rfc. (MUST, MUST NOT, SHOULD etc.) https://www.rfc-editor.org/rfc/rfc7489.html#section-3

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How do i receive DMARC reports with external domains that i have no permission to control

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.