.png)
When you set up DMARC, the RUA (aggregate) and RUF (forensic) tags tell email receivers where to send your DMARC reports. If the domain in those email addresses hasn’t been verified, you’ll see an “External verification failure” warning.
example.com._report._dmarc.example2.com with value v=DMARC1;.It indicates that the domain listed in your RUA or RUF tag hasn’t published the required verification TXT record, so receivers can’t deliver DMARC reports to that address.
Gmail is a free‑mail domain you don’t control, so you can’t add the verification TXT record it requires. Use a domain you own and can edit its DNS.
In the DNS zone of the external domain (the one after the @ in your report address), add a TXT record:
yourdomain.com._report._dmarc.externaldomain.comv=DMARC1;DNS propagation can take from a few minutes up to 48 hours, depending on your TTL settings. After that, the warning should disappear.
Run Palisade’s DMARC Record Checker. It will confirm that the external verification TXT record is visible and that reports will be delivered.
No. One verification record that references your domain is enough for all RUA/RUF addresses on the same external domain.
Yes, just ensure the subdomain’s DNS includes the verification TXT record matching the full address.
DMARC reports will be dropped for that address, and you’ll lose visibility into authentication failures for your domain.
Yes, it’s a public DNS TXT record, but it only contains v=DMARC1;, which poses no security risk.
Many DNS providers offer API access. You can script the creation of the verification TXT record as part of your DMARC deployment pipeline.
.svg)