diff --git a/DMARC-how-to.md b/DMARC-how-to.md index 02e0fce..afa6ece 100644 --- a/DMARC-how-to.md +++ b/DMARC-how-to.md @@ -24,18 +24,16 @@ DMARC addresses this problem and enables the owner of a domain to take explicit * There is a workaround: Forward the appointment as an "iCalendar file" or as an attachment. # Creating a DMARC record -The DMARC policy is published by means of a DNS TXT record. -Overview +The DMARC policy is published by means of a DNS TXT record. Before setting up a DMARC record, lets first take a look at all the configuration tags that can be configured within a DMARC record. -rua: aggregate reports -ruf: forensic reports +## Overview of DMARC configuration tag | DMARC configuration tag | Required? | Value(s) | Explanation | | --- | --- | --- | --- | | v | mandatory | DMARC1; | | | p | mandatory | none
quarantine
reject | None: don't do anything if DMARC verification fails (used for testing)
quarantine: treat mail that fails DMARC check as suspicious
reject: reject mail that fail DMARC check | -| rua | optional | rua@example.nl | This field contains the email address used to send aggregate reports to | -| ruf | optional |ruf@example.nl | This field contains the email address used to send forensic reports to | +| rua | optional | rua@example.nl | This field contains the email address used to send **aggregate** reports to | +| ruf | optional |ruf@example.nl | This field contains the email address used to send **forensic** reports to | | fo | mandatory |
0
1
s
d | Reporting options for failure reports. Generates a report if:
- both SPF and DKIM tests fail (0)
- either SPF or DKIM test fail (1)
- SPF test fails (s)
- DKIM test fails (d) | | adkim | optional | s
r | Controls how strict the result of DKIM verification should be intepreted. Strict or relaxed. | | aspf | optional | s
r | Controls how strict the result of SPF verification should be intepreted. Strict or relaxed. | @@ -46,6 +44,11 @@ ruf: forensic reports Be aware that implementing a DMARC record without a rua configuration is possible, this is not advised because the DMARC XML files that are received by implementing a rua email address can help with implementing DKIM or SPF to meet the DMARC requirements. +## Setting up a DMARC record +Depending on your preferences and needs, you can determine the value of the configuration tags. The values below seem like a good starting point when setting up + + _dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.nl; ruf=mailto:dmarc@example.nl; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=quarantine" + # Implementing DMARC with OpenDMARC for Postfix with SpamAssassin **Specifics for this setup** * Linux Debian 9.8 (Stretch) @@ -135,6 +138,25 @@ and run it every day under the user opendmarc by adding the following to **/etc/ 1 0 * * * opendmarc /etc/opendmarc/report_script +### Configuring SpamAssassin +SpamAssassin uses a scoring mechanism in order to determine if an e-mail should be considered spam. By default SpamAssassin considers an e-mail to be spam if the score at least "5". An e-mail starts with a score of 0 and points are added based on the [tests](https://spamassassin.apache.org/old/tests_3_3_x.html) performed. The tests performed can be configured by adding specific [configuration parameters](https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html) in **/etc/spamassassin/local.cf**. + +Now here's the tricky part. The points added to the score of an incoming e-mail based on the results of a specific test, is at its core a custom job. Many variables can be taken into consideration when scoring an e-mail (which is considered the strength of a post-SMTP spam filter) and the detailed scoring depends on a domain owner's specific wishes. For the sake of this how-to, the DMARC scoring will be based on the assumption that the domain owner wants to consider an e-mail to be spam if the sending e-mail server's DMARC validation did fail. + +With SpamAssassin this can be configured by adding the following scoring configuration parameters to **/etc/spamassassin/local.cf**: + +``` +#dmarc fail +header CUST_DMARC_FAIL Authentication-Results =~ /mail\.example\.nl; dmarc=fail/ +score CUST_DMARC_FAIL 5.0 + +#dmarc pass +header CUST_DMARC_PASS Authentication-Results =~ /mail\.example\.nl; dmarc=pass/ +score CUST_DMARC_PASS -1.0 +``` + +This means that when the "Authentication-Results" header of your e-mail contains "mail.example.nl; dmarc=fail" 5 points will be added to the score; instantly classifying this e-mail as SPAM. On the other hand, if the "Authentication-Results" header of your e-mail contains "mail.example.nl; dmarc=pass" -1 points will be added to the score; classifying this e-mail as legitimate. + # Special thanks Our infinite gratitude goes out to the following people for their support in building this how-to for DANE.