A domain's DMARC record can tell the world to send DMARC reports to a different domain. For example, the domain example.org might have a DMARC record of:
v=DMARC1; p=none; rua=mailto:email@example.com
This DMARC record tells people to send reports regarding example.org to the email address of "firstname.lastname@example.org". Before reports are sent, sample.net must tell the world that it is OK to send example.org's reports to sample.net. Otherwise, reports will not be sent to sample.net.
Allowing "external" domains to accept DMARC reports is called "External Domain Verification".
For those who like too much information, the DMARC RFC describes in detail how report generators determine if sample.net is allowed to receive reports related to example.org.
External Domain Verification is made possible when sample.net publishes a special TXT record at a specific location in the DNS. If example.org tells the world to send DMARC reports to the sample.net domain, people who are sending reports will look for a TXT record at this location:
..and expect the result to be:
In this way, the operator of sample.net can explicitly tell the world that example.org's reports can be sent to sample.net.
dmarcian process data for an enormous number of domains and automatically adds the External Domain Verification record as needed. This is how people can use dmarcian to process DMARC data by directly inserting a dmarcian reporting addressing into a DMARC record.
If you're seeing warnings that your domain's DMARC record is "Missing authorization for External Destination", the fix is to either:
- Have the external destination domain publish the External Domain Verification record, or
- avoid this issue altogether by publishing your dmarcian reporting address directly into your DMARC record.
Feel free to contact us with any questions about the arcane topic of External Domain Verification.