1

I've got multiple domains hosted on a single Linode instance. As a result of some routine anti-spam checking the wonderful mxtoolbox (no affiliation) reports this:

DMARC External Validation   External Domains in your DMARC are not giving permission for your reports to be sent to them.

The domain in question publishes this TXT record:

_dmarc  "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected];"

mailserver.net publishes the following as a TXT record (key/value pairs shown):

*._report._dmarc.mailserver.net "v=DMARC1;"

which, as far as I can tell, ticks all the boxes.

What have I missed?

MTIA

4
  • Please clarify your question. What is * supposed to mean?
    – anx
    Commented Feb 9, 2023 at 1:56
  • In some DNS editors, you can easily inadvertently add a record below your domain, when you meant to input the entire name (a trailing dot would clarify). Please share the domain so I can lookup the record, or share the command (e.g. dig TXT orgdomain.tld._report._dmarc.mailserver.example.) used and output of the relevant lookup that makes you believe the record is configured the way you think. You may mask private details that identify you (globally routable IP addresses, DNS names), but make sure it stays consistent.
    – anx
    Commented Feb 9, 2023 at 2:39
  • @anx * is the DNS wildcard. It doesn't mean anything except just itself and exists as is in a zonefile. Commented Feb 9, 2023 at 3:54
  • I share @anx direcion of thought: Do you have any explicit domains in your zone _report._dmarc.mailserver.net listed? This also breaks any lookups that share the tld of that domain in my opinion. More on wildcards in DNS at datatracker.ietf.org/doc/html/rfc4592#section-2.2
    – Reinto
    Commented Feb 9, 2023 at 5:49

1 Answer 1

0

My attempts to fix this problem were based on the answer provided by mxtoolbox.com, from which I quote:

In the majority of cases the recipient domain will create a wild card record, which essentially means the domain is willing to receive DMARC reports for ANY domain. A wildcard record would look like this: *._report._dmarc.example.com with a value of "v=DMARC1"

As it stands the answer is now moot, as the test tool is giving the green light to all related DNS entries.

It occurred to me that have the wildcard DMARC report entry was a bad idea, as, theoretically, anyone could use the mail server as the destination. The wildcard now replaced by per-domain entries.

1
  • I believe the wildcard entry should have passed the DMARC External Validation test. While your conclusion is correct, the unfortunate truth is that very few report generators actually query the _report entries for rua recipients. They just send the report regardless.
    – Reinto
    Commented Feb 10, 2023 at 13:53

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .