2

I want to receive reports with gmail or outlook or anything else that i have no permission to add (mydomain.com)._report._dmarc.(gmail|outlook).com as a record. What i can do? Example just like:

v=DMARC1; p=quarantine; rua=mailto:[email protected]; [email protected]; fo=1; aspf=s;

Then i as it must be have no permission to add an txt record for gmail.com.

PS: I know i can just set my record as this without really set for gmail.com, then google will continue reports dmarc, without any issue, but mxtoolbox always reporting with DMARC External Validation Error, it must be against the RFC. So i am asking this.

1
  • It is the sender of the reports that will be in violation of the RFC when it sends to recipients in the rua or ruf tag, without verifying if indeed the receiving domain allows reports on behalf of the domain being reported on.
    – Reinto
    Commented Jan 10, 2023 at 11:40

1 Answer 1

4

You cannot, as explained in RFC 7489, 7.1:

Without checks, this would allow a bad actor to publish a DMARC policy record that requests that reports be sent to a victim address, and then send a large volume of mail that will fail both DKIM and SPF checks to a wide variety of destinations; the victim will in turn be flooded with unwanted reports. Therefore, a verification mechanism is included.

You could request the reports to an email address within the same domain or another domain you can control. Then, you could forward the reports to Gmail, acknowledging that the forwarded mail might not pass DMARC without a DKIM signature.

1
  • Unforutnately, not many reporting servers check for this permission. Also, the RFC is using vague terms like 'are to be' and 'is enacted', instead of using the proper terminoligy as describedi n the KEYWORDS rfc. (MUST, MUST NOT, SHOULD etc.) rfc-editor.org/rfc/rfc7489.html#section-3
    – Reinto
    Commented Jan 10, 2023 at 11:44

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .