I'd like to set up a DMARC record so that I can receive reports on an external subdomain. To be specific, I have a domain called send.com which sends emails and is monitored by DMARC. The aggregate reports generated by DMARC are sent to an email address receive@agg.report.com.
Per the DMARC spec, I need to set up a TXT record on report.com to give permission to receive these report emails. My understanding is that I need to add the TXT record as *._report._dmarc with value v=DMARC1. The wildcard here means I give permissions to all domains, including send.com.
Then I use mxtoolbox's tool to check the validity of the generated DMARC record, and it says everything is fine, except that 'External Domains in your DMARC are not giving permission for your reports to be sent to them.', which I've attempted to address with the TXT record above.
Next I guess mxtoolbox has the error because the recipient mailbox is on a subdomain, that is, agg.report.com, maybe I need to add agg to the TXT record. Now it becomes *._report._dmarc.agg. I then use mxtoolbox to check again. Now mxtoolbox says everything is fine.
But now I have a new problem: I am unable to access the receive@agg.report.com mailbox, because DNS is unable to resolve agg.report.com. It turns out the *._report._dmarc.agg txt record is the cause, and after I remove it, I am able to access receive@agg.report.com again.
So my question is, what is the correct way to give permissions to all domains to send aggregate reports to an external email sitting on a subdomain?
Thanks!
