Join Log in
Score:1
avatar Server

Apparent DMARC External Validation query failure

in flag
J Evans

I've got multiple domains hosted on a single Linode instance. As a result of some routine anti-spam checking the wonderful mxtoolbox (no affiliation) reports this:

DMARC External Validation   External Domains in your DMARC are not giving permission for your reports to be sent to them.

The domain in question publishes this TXT record:

_dmarc  "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected];"

mailserver.net publishes the following as a TXT record (key/value pairs shown):

*._report._dmarc.mailserver.net "v=DMARC1;"

which, as far as I can tell, ticks all the boxes.

What have I missed?

MTIA

119
1 + 4
anx avatar
fr flag
anx
Please [clarify your question](https://serverfault.com/posts/1122322/edit). What is `*` supposed to mean?
0
Reply
anx avatar
fr flag
anx
In some DNS editors, you can easily inadvertently add a record below your domain, when you meant to input the entire name (a trailing dot would clarify). Please share the domain so I can lookup the record, or share the command (e.g. `dig TXT orgdomain.tld._report._dmarc.mailserver.example.`) used and output of the relevant lookup that makes you believe the record is configured the way you think. You may [mask private details that identify you (globally routable IP addresses, DNS names)](https://meta.serverfault.com/a/6063), but make sure it stays consistent.
0
Reply
Patrick Mevzek avatar
cn flag
Patrick Mevzek
@anx `*` is the DNS wildcard. It doesn't mean anything except just itself and exists as is in a zonefile.
0
Reply
Reinto avatar
es flag
Reinto
I share @anx direcion of thought: Do you have any explicit domains in your zone `_report._dmarc.mailserver.net` listed? This also breaks any lookups that share the tld of that domain in my opinion. More on wildcards in DNS at https://datatracker.ietf.org/doc/html/rfc4592#section-2.2
0
Reply
Score:0
avatar Server
in flag
J Evans

My attempts to fix this problem were based on the answer provided by mxtoolbox.com, from which I quote:

In the majority of cases the recipient domain will create a wild card record, which essentially means the domain is willing to receive DMARC reports for ANY domain. A wildcard record would look like this: *._report._dmarc.example.com with a value of "v=DMARC1"

As it stands the answer is now moot, as the test tool is giving the green light to all related DNS entries.

It occurred to me that have the wildcard DMARC report entry was a bad idea, as, theoretically, anyone could use the mail server as the destination. The wildcard now replaced by per-domain entries.

+ 1
Reinto avatar
es flag
Reinto
I believe the wildcard entry should have passed the DMARC External Validation test. While your conclusion is correct, the unfortunate truth is that very few report generators actually query the _report entries for rua recipients. They just send the report regardless.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.