Previously we looked at how to use nslookup to retrieve the main Domain Based Message Reporting And Conformance (DMARC) DNS record. One of the often overlooked and behind the scenes aspect of DMARC is that a 3rd party DMARC provider has to actually grant permission for DMARC reports to be sent to them for a given domain. Without that permission, email service providers will not be able to send DMARC RUA and RUF reports to the reporting service.
This is a separate DNS record from the main DMARC DNS record that most posts discuss. An example of that “regular” DMARC record would be something like the below in an organisation’s public DNS zone file:
v=DMARC1; p=reject; pct=100; rua=mailto:oyylfe6e@ag.us.dmarcian.com,mailto:rua@wingtiptoys.ca; ruf=mailto:ruf@wingtiptoys.ca; aspf=s; adkim=s; fo=1
Basic DMARC Record Check
If you’d like to review the full article, please navigate here. The below is the query used to retrieve a domain's DMARC TXT record using nslookup:
nslookup.exe -q=txt _DMARC.Wingtiptoys.ca
In this example, Dmarcian is where the RUF and RUA reports are being sent. There are many other services such as Valimail, MXToolbox etc. You can also send reports to one of your mailboxes and use a reporting solution to parse the contents. But then you are on the hook for having to manage that. For extreme volume that may be viable, but for most organisations a regular commercial solution is preferred.
Now that we have looked at the regular DMARC record, what about the EDV?
External Domain Validation DMARC Authorisation Record
The targeted domain is wingtiptoys.ca and the example scenario would be that a spammer tries to send an email to a valid recipient billg@Yahooo using the spoofed address user-1@wingtiptoys.ca
Yahoo’s mail servers will peform sender authentication checks on SPF, DKIM and DMARC. DMARC alignment will fail as neither the SPF or DKIM headers match the sending domain's RFC 5322 header. Yahoo will want to send the RUA report to the mailbox that is specified in the wingiptoys.ca DMARC record.
Dmarcian needs to publish a DNS record stating that email providers are allowed to send DMARC reports to the specified address of
mailto:oyylfe6e@ag.us.dmarcian.com
We can query the ag.us.dmarcian domain for the presence of the EDV record.
nslookup.exe -q=txt wingtiptoys.ca._report._dmarc.ag.us.dmarcian.com
In this example the reporting entity (Dmarcian) states it is willing to accept the DMARC reports for the given domain - wingtiptoys.ca
As noted above, before email providers send DMARC reports they will verify the presence of this EDV record. If the record exists and its value is set to "v=DMARC1" the report will be sent. Otherwise the DMARC report will not be sent.
The EDV must be configured per domain. It is possible to configure a wildcard, but this is not something you would expect to see from a commercial service as they will want to restrict delivery only for their customers. An example of this for a hypothetical domain of reportingservice.com where it accepts any domain would be:
<Subscriber-Domain>._report._dmarc.<ReportingServiceName>.com
Replace <Subscriber-Domain> with the customer’s domain.
Replace <ReportingServiceName.com> with the DMARC provider’s domain.
Addendum
If you are reading this as there was an issue receiving DMARC reports for one of your domains one common question is that since the issue was identified and resolved, how quickly will I see data? That's consultant's answer #1 - it depends...
Email service providers typically send reports once a day. Yes, you can define the Reporting Interval (RI=) in your DMARC record, but that is often ignored to help conserve resources. While you may expect to obtain RUA reports for all email service providers, not all of them will send RUF. As an added factor many commercial DMARC services want extra monies to parse and display the RUF responses. Double check the details if you are using a commercial service.
If you are having problems *, ensure that the actual DMARC record is correct as that is the most common issue. Also DMARC records for a given domain follow the Highlander principle - There can be only one!
Cheers,
Rhoderick
* - I feel bad for you son
