5

I'm trying to implement DMARC for a domain and the address specified in the rua tag is my own personal email for convenience. I have been receiving aggregate reports only from a handful of ESPs, and all of them minor ones. Notably, I'm receiving nothing from Gmail, though I know I'm sending thousands of emails to Gmail addresses daily.

Then, I noticed that DMARC inspector complains about the mismatch between the domain and the domain of the rua email. Could this be the cause of the problem? The DMARC specification itself explicitly states that such a mismatch is not forbidden. Google's article on DMARC specifies nothing either way.

If it's not this, what could be the problem?

Bintz
  • 395
  • 1
  • 2
  • 10
  • Unfortunately Google has a variety of implementation mistakes in SPF, DKIM and DMARC. You may have run into yet another one. – Michael Hampton Jan 10 '17 at 21:30
  • 1
    May be similar - https://dmarc.org/wiki/FAQ#I_published_a_DMARC_record_with_reports_going_to_another_domain.2C_but_none_seem_to_be_received – pete Jan 10 '17 at 21:34
  • 2
    Note sure about Gmail's behavior but do you actually have the TXT record under the recipient domain that is the requirement for this case according to the DMARC spec, though? https://tools.ietf.org/html/rfc7489#section-7.1 – Håkan Lindqvist Jan 10 '17 at 21:35
  • Huh, I missed that. I read the DMARC specification linked to from Google's help center and that is an older version that doesn't specify this mechanism. In fact, it essentially says "since the reports are sent once a day, the volume of aggregate reports shouldn't present a DDoS hazard, so nothing like this is necessary". Google really seems to have dropped the ball on this one. If you write this up as an answer, Hakan, I will select it – Bintz Jan 10 '17 at 22:31

1 Answers1

7

First of all, I don't know if there are any issues specific to how Gmail handles this.

Generally, however, while the DMARC spec does allow for reports to be sent to an external address, it also has additional validation steps for this scenario in order to limit abuse.

The report recipient domain should have a special record in place to indicate that it wants to accept DMARC reports regarding this other domain, and before accepting such a report recipient address the presence of this record should be validated.

Example from the DMARC spec:

For example, if a DMARC policy query for blue.example.com contained
rua=mailto:reports@red.example.net, the host extracted from the
latter (red.example.net) does not match blue.example.com, so this
procedure is enacted. A TXT query for
blue.example.com._report._dmarc.red.example.net is issued. If a
single reply comes back containing a tag of v=DMARC1, then the
relationship between the two is confirmed. Moreover,
red.example.net has the opportunity to override the report
destination requested by blue.example.com if needed.

See the full section linked above for all the details.

Community
  • 1
Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94