When you set up your DMARC record and you point your reporting to Agari we need to create a rule in DNS letting the reporters know that we allowed you to send your reporting information to us. This is called "External Verification". If these rules were not in place, then this would give the bad guys the chance to create a DMARC record for a domain that points to a victim's email address, send a bunch of malicious emails that fail authentication, and then flood the victim's mailbox with unwanted reports. In order to set up external verification, a special TXT record must be created.
Let's say I have the domain example.com. If I do a DMARC lookup for this domain I may find a different reporting address configured:
v=DMARC1; p=none; rua=mailto:firstname.lastname@example.org
You can see that the domain of example.com does not match examplereport.net. This means examplereport.net needs to publish a special TXT record at a specific location in the DNS. If example.com tells the DMARC reporters to send DMARC reports to the examplereport.net domain, people who are sending reports will look for a TXT record at this location:
The answer to this query should be: v=DMARC1
For further details and information, please review section 7.1 of the DMARC RFC. If you have questions or would like to discuss, please do not hesitate to reach out to email@example.com