External Domains in Your DMARC Are Not Giving Permission for Your Reports to Be Sent to Them

Introduction

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication protocol designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The purpose of DMARC is to improve and ensure email security by preventing these fraudulent activities. However, implementing DMARC can sometimes lead to complications, such as issues with receiving aggregate reports. This knowledge base article addresses a common problem where external domains in your DMARC record do not give permission for your reports to be sent to them.

Understanding the Issue

A customer reports not receiving their DMARC aggregate reports. Upon investigation, it was found that the issue was highlighted by a tool, which pointed out that "external domains in your DMARC are not giving permission for your reports to be sent to them." This situation typically arises when the DMARC record includes an email address for receiving reports that belong to a domain not aligned with the sender's domain.

Scenario Overview

  • Complaint: The customer is not seeing their DMARC aggregate reports.
  • Symptom Identified: The tool indicates that external domains in the DMARC record are not granting permission for reports to be forwarded to them.
  • Example DMARC Record: v=DMARC1; p=none; rua=mailto:87afed6d6ba5.a@dmarcinput.com,mailto:dmarc@externaldomain.com; ruf=mailto:87afed6d6ba5.f@dmarcinput.com; fo=1
  • Observation: Although the DMARC record appears correctly configured in the diagnostic tool, the issue of permission for report delivery persists.

Root Cause Analysis

The root cause of the problem is the use of an email address from an external domain (externaldomain.com) in the DMARC record of example.com for receiving DMARC reports. DMARC policies require that the domain of the email address receiving the reports must align with or explicitly authorize the domain sending the reports. If there's a mismatch or if the receiving domain has not authorized the sending domain, DMARC aggregate reports will not be sent.

Resolution Steps

  1. Verify DMARC Record: Ensure that your DMARC record is correctly published in your DNS. The record should include a valid rua (addresses to which aggregate feedback is to be sent) and ruf (addresses to which message-specific forensic information is to be sent) email addresses.
  2. Align Email Domains: Change the rua and ruf email addresses in your DMARC record to addresses that belong to your domain. Ensure that the domain includes "dmarcinput.com" for the rua and ruf fields. This ensures alignment and avoids permission issues.
  3. Adjust External Domain Records: The record for the external domain should either be removed or changed to dmarc@domain.com, where domain.com matches the domain where the record is published.
  4. Contact External Domain Administrator: If necessary, reach out to the administrator of the external domain to request authorization for your DMARC reports to be sent to their domain.
  5. Use Third-party DMARC Reporting Services: Consider using a third-party DMARC reporting service that can aggregate and analyze DMARC reports on your behalf. These services often have mechanisms to handle domain permissions more seamlessly.
  6. Monitor DMARC Reports: After making the necessary adjustments, monitor your DMARC reports to ensure that you are now receiving them as expected.

Conclusion

DMARC is a critical component of email security, but its effectiveness is contingent upon correct configuration and domain alignment. When external domains are used in a DMARC record, it is essential to ensure that these domains have granted permission for reports to be sent to them. By following the resolution steps outlined above, you can address issues related to permission for DMARC report delivery and enhance the security of your email communications.