Fix “External Verification Failure” in EasyDMARC | EasyDMARC

Fix “External Verification Failure” in EasyDMARC

3 Min Read
Red and blue image with some code on it and the word

Reviewing DMARC record issues with our DMARC Record Checker is the first step in your DMARC troubleshooting journey. This article focuses on the “External verification failure” warning.

This notification indicates that the URI mentioned in your RUA and RUF tags won’t be able to receive these reports yet.

As you might know, RUA and RUF tags are essential for proper DMARC deployment. They help to specify the email addresses to which ESPs must deliver DMARC aggregate (RUA) and forensic/failure (RUF) reports. Once received, DMARC reports help users investigate the problems with their email sending sources and configure them.


For instance, this is your domain example.com. You’ve published a DMARC record, like the one below, mentioning an inbox address for the RUA and RUF tags to get the DMARC reports of example.com.

v=DMARC1;p=reject;rua=mailto:[email protected];ruf=mailto:[email protected];fo=1:s

If example2.com domain doesn’t have an external domain verification confirming that it’s authorized to receive the DMARC reports of example.com, the reports won’t be delivered to the specified email address (name@example2.com).

When you send an email from your domain (example.com), the receiving server checks if the domain with the record matches the domain mentioned in the email address of the RUA or RUF tag of the DMARC record. Only in case of any mismatch does the verification start. The receiving server checks if the report-receiving domain (example2.com) has confirmed receiving the reports. The server verifies it by looking for a specific TXT record in the external domain’s DNS zone.

If that particular record is found in their DNS, the reports are sent to that very email.

How to Solve “External Verification Failure”?

This warning has an easy fix. Publish a TXT record in the given external domain’s (example2.com) DNS to authorize the delivery of the reports to the email mentioned above addresses.

In our example, you need to generate a TXT record in the example2.com domain’s DNS zone to confirm receiving DMARC reports of your domain (example.com). The record should look like the screenshot below.

– Record type: TXT
– Host/Name: example.com._report._dmarc.example2.com
– Value: v=DMARC1;

Don’t publish this record on your domain’s DNS but on the external domain (example2.com) to which you want to receive your reports.

Marlena Nersisyan | Technical Support Engineer

Once you’ve published your record, authorize the addresses ending with example2.com. You’ll start receiving both RUA and RUF DMARC reports from example.com.

Comments
guest
2 Comments
Inline Feedbacks
View all comments
Kirsten
Kirsten
Jan 15, 2024

Do I need to use a business email for the RUA and RUF emails? Can I not just use a regular gmail for that?

Hagop Khatchoian
Admin
Hagop Khatchoian
Jan 15, 2024
Reply to  Kirsten

Your RUA address domain must align with your own domain. If they don’t match, you’ll need to conduct external verification for the other domain to receive reports for your own. Therefore, using ‘gmail.com’ isn’t permissible, as it is a freemail domain, and you don’t have the authority to perform external verification for it.

succees We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.

succees You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us