RFC7489 7.1 DMARC Verifying External Destinations

Copper Contributor

I found out that Microsoft do not fully follow RFC7489 in scope of Verifying External Destinations, when domain creates DMARC record with rua or ruf that belongs to external domain it doesn't verify that permission record exist in external domain to receive DMARC reports for domain. For example:

 

_dmarc.example.com IN TXT v=DMARC1; p=none; rua= mailto:email address removed for privacy reasons

should be only take to account if example.net would contain record:

example.com._report._dmarc.example.org IN TXT v=DMARC1

 but Microsoft when sends DMARC reports send them even where was no such record, generated unwanted and not requested traffic to example.net

1 Reply

Hi @dragoangel 

I've been working with DMARC quite a while and never heard of that Record.

But you're right that's whats in the RFC and my DMARC Providers have that Record set up.

 

I suggest you to open a Ticket at Microsoft and tell them.

 

Kind Regards

Andres