RFC7489 7.1 DMARC Verifying External Destinations
I found out that Microsoft do not fully follow RFC7489 in scope of Verifying External Destinations, when domain creates DMARC record with rua or ruf that belongs to external domain it doesn’t verify that permission record exist in external domain to receive DMARC reports for domain. For example:
_dmarc.example.com IN TXT v=DMARC1; p=none; rua= mailto:email address removed for privacy reasons
should be only take to account if example.net would contain record:
example.com._report._dmarc.example.org IN TXT v=DMARC1
but Microsoft when sends DMARC reports send them even where was no such record, generated unwanted and not requested traffic to example.net
I found out that Microsoft do not fully follow RFC7489 in scope of Verifying External Destinations, when domain creates DMARC record with rua or ruf that belongs to external domain it doesn’t verify that permission record exist in external domain to receive DMARC reports for domain. For example: _dmarc.example.com IN TXT v=DMARC1; p=none; rua= mailto:email address removed for privacy reasonsshould be only take to account if example.net would contain record:example.com._report._dmarc.example.org IN TXT v=DMARC1 but Microsoft when sends DMARC reports send them even where was no such record, generated unwanted and not requested traffic to example.net Read More