{{tag>mail dns}}
====== Receive dmarc reports to different domain ======
Add this in your dns foobar.com zone file:
example.com._report._dmarc TXT "v=DMARC1;"
This is External Destination Verification. You can now receive DMARC reports for example.com domain to foobar.com email address.
===== Troubleshooting =====
ERROR:
15 09:42:58 nameserver named[25740]: /etc/bind/example.com.zone:26: foo.bar._report._dmarc.example.com: bad owner name (check-names)
15 09:42:58 nameserver named[25740]: zone example.com/IN: loading from master file /etc/bind/example.com.zone failed: bad owner name (check-names)
15 09:42:58 nameserver named[25740]: zone example.com/IN: not loaded due to errors.
This happens because bind9 strict RFC checking.
Check where in the zone file you have defined the record. Putting it after records where no hostname is defined doesn't seem to work and produces above message. Example:
MX 1 aspmx.l.google.com.
MX 5 alt1.aspmx.l.google.com.
MX 5 alt2.aspmx.l.google.com.
MX 10 alt3.aspmx.l.google.com.
MX 10 alt4.aspmx.l.google.com.
MX 15 afejaofwifjwafiajwfi32jfoiw3jawfeijfw.mx-verification.google.com
foo.bar._report._dmarc TXT "v=DMARC1;"
This should work:
...
ns2 AAAA
; External Destination Verification; receive DMARC reports from auto23.hr domain to example.com email
foo.bar._report._dmarc TXT "v=DMARC1;"
...
Another solution is to turn off bind9 RFC checks in zone definition file (''named.conf.local'') by adding ''check-names warn;'':
zone "example.com" {
type master;
file "/etc/bind/example.com.zone";
allow-query { any; };
allow-transfer { slave_servers; };
check-names warn;
};
===== See also =====
* [[https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dmarc-to-validate-email?view=o365-worldwide|DMARC and DKIM operation from Microsoft Docs]]
===== References =====
* https://linux.m2osw.com/setting-bind-get-letsencrypt-wildcards-work-your-system-using-rfc-2136