场景说明:
如果要将DMARC报告发送到记录所在的域以外,则接收域需要配置DNS记录,以便电子邮件服务提供商知道收件人指定报告授权。
=====================================================================================
知识点说明:
关联RFC: RFC-7489
Verifying External Destinations
It is possible to specify destinations for the different reports that are outside the authority of the Domain Owner making the request. This allows domains that do not operate mail servers to request reports and have them go someplace that is able to receive and process them. Without checks, this would allow a bad actor to publish a DMARC policy record that requests that reports be sent to a victim address, and then send a large volume of mail that will fail both DKIM and SPF checks to a wide variety of destinations; the victim will in turn be flooded with unwanted reports. Therefore, a verification mechanism is included.
大意:可以为发出请求的域所有者的指定他域目的地址。这允许没运行邮件服务器的域将请求报告发送到能够接收和处理的邮箱中。
但是如果没有检查机制,这将出现不良的参与者发布DMARC政策记录,要求将报告发送到受害者地址,然后发送大量邮件,使DKIM和SPF检查都无法通过的情况下,
受害者将会收到不必要的报告邮件攻击。因此,需要有一个验证机制。
验证机制即在收报告的邮箱所在域中,增加一个TXT记录,其主机名为: 发送域._report._dmarc.,其内容为: v=DMARC1
例如:如果您的域是lucky.cn,并且您想要将报告发送到gao@lucky.com.cn,那么需要在lucky.com.cn的域名解析中,增加一条TXT记录,其主机名为:
lucky.cn._report._dmarc,其内容为 v=DMARC1
待解析生效后,即完成报告授权。