mirror of
https://github.com/internetstandards/toolbox-wiki.git
synced 2024-11-22 02:51:36 +01:00
Update DMARC-how-to.md
This commit is contained in:
parent
c9ba775ece
commit
65dc1e2325
@ -24,18 +24,16 @@ DMARC addresses this problem and enables the owner of a domain to take explicit
|
|||||||
* There is a workaround: Forward the appointment as an "iCalendar file" or as an attachment.
|
* There is a workaround: Forward the appointment as an "iCalendar file" or as an attachment.
|
||||||
|
|
||||||
# Creating a DMARC record
|
# Creating a DMARC record
|
||||||
The DMARC policy is published by means of a DNS TXT record.
|
The DMARC policy is published by means of a DNS TXT record. Before setting up a DMARC record, lets first take a look at all the configuration tags that can be configured within a DMARC record.
|
||||||
Overview
|
|
||||||
|
|
||||||
rua: aggregate reports
|
## Overview of DMARC configuration tag
|
||||||
ruf: forensic reports
|
|
||||||
|
|
||||||
| DMARC configuration tag | Required? | Value(s) | Explanation |
|
| DMARC configuration tag | Required? | Value(s) | Explanation |
|
||||||
| --- | --- | --- | --- |
|
| --- | --- | --- | --- |
|
||||||
| v | mandatory | DMARC1; | |
|
| v | mandatory | DMARC1; | |
|
||||||
| p | mandatory | none<br>quarantine<br>reject | None: don't do anything if DMARC verification fails (used for testing)<br>quarantine: treat mail that fails DMARC check as suspicious<br>reject: reject mail that fail DMARC check |
|
| p | mandatory | none<br>quarantine<br>reject | None: don't do anything if DMARC verification fails (used for testing)<br>quarantine: treat mail that fails DMARC check as suspicious<br>reject: reject mail that fail DMARC check |
|
||||||
| rua | optional | rua@example.nl | This field contains the email address used to send aggregate reports to |
|
| rua | optional | rua@example.nl | This field contains the email address used to send **aggregate** reports to |
|
||||||
| ruf | optional |ruf@example.nl | This field contains the email address used to send forensic reports to |
|
| ruf | optional |ruf@example.nl | This field contains the email address used to send **forensic** reports to |
|
||||||
| fo | mandatory | <br>0<br>1<br>s<br>d | Reporting options for failure reports. Generates a report if:<br>- both SPF and DKIM tests fail (0)<br>- either SPF or DKIM test fail (1)<br>- SPF test fails (s)<br>- DKIM test fails (d) |
|
| fo | mandatory | <br>0<br>1<br>s<br>d | Reporting options for failure reports. Generates a report if:<br>- both SPF and DKIM tests fail (0)<br>- either SPF or DKIM test fail (1)<br>- SPF test fails (s)<br>- DKIM test fails (d) |
|
||||||
| adkim | optional | s<br>r | Controls how strict the result of DKIM verification should be intepreted. Strict or relaxed. |
|
| adkim | optional | s<br>r | Controls how strict the result of DKIM verification should be intepreted. Strict or relaxed. |
|
||||||
| aspf | optional | s<br>r | Controls how strict the result of SPF verification should be intepreted. Strict or relaxed. |
|
| aspf | optional | s<br>r | Controls how strict the result of SPF verification should be intepreted. Strict or relaxed. |
|
||||||
@ -46,6 +44,11 @@ ruf: forensic reports
|
|||||||
|
|
||||||
Be aware that implementing a DMARC record without a rua configuration is possible, this is not advised because the DMARC XML files that are received by implementing a rua email address can help with implementing DKIM or SPF to meet the DMARC requirements.
|
Be aware that implementing a DMARC record without a rua configuration is possible, this is not advised because the DMARC XML files that are received by implementing a rua email address can help with implementing DKIM or SPF to meet the DMARC requirements.
|
||||||
|
|
||||||
|
## Setting up a DMARC record
|
||||||
|
Depending on your preferences and needs, you can determine the value of the configuration tags. The values below seem like a good starting point when setting up
|
||||||
|
|
||||||
|
_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.nl; ruf=mailto:dmarc@example.nl; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=quarantine"
|
||||||
|
|
||||||
# Implementing DMARC with OpenDMARC for Postfix with SpamAssassin
|
# Implementing DMARC with OpenDMARC for Postfix with SpamAssassin
|
||||||
**Specifics for this setup**
|
**Specifics for this setup**
|
||||||
* Linux Debian 9.8 (Stretch)
|
* Linux Debian 9.8 (Stretch)
|
||||||
@ -135,6 +138,25 @@ and run it every day under the user opendmarc by adding the following to **/etc/
|
|||||||
|
|
||||||
1 0 * * * opendmarc /etc/opendmarc/report_script
|
1 0 * * * opendmarc /etc/opendmarc/report_script
|
||||||
|
|
||||||
|
### Configuring SpamAssassin
|
||||||
|
SpamAssassin uses a scoring mechanism in order to determine if an e-mail should be considered spam. By default SpamAssassin considers an e-mail to be spam if the score at least "5". An e-mail starts with a score of 0 and points are added based on the [tests](https://spamassassin.apache.org/old/tests_3_3_x.html) performed. The tests performed can be configured by adding specific [configuration parameters](https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html) in **/etc/spamassassin/local.cf**.
|
||||||
|
|
||||||
|
Now here's the tricky part. The points added to the score of an incoming e-mail based on the results of a specific test, is at its core a custom job. Many variables can be taken into consideration when scoring an e-mail (which is considered the strength of a post-SMTP spam filter) and the detailed scoring depends on a domain owner's specific wishes. For the sake of this how-to, the DMARC scoring will be based on the assumption that the domain owner wants to consider an e-mail to be spam if the sending e-mail server's DMARC validation did fail.
|
||||||
|
|
||||||
|
With SpamAssassin this can be configured by adding the following scoring configuration parameters to **/etc/spamassassin/local.cf**:
|
||||||
|
|
||||||
|
```
|
||||||
|
#dmarc fail
|
||||||
|
header CUST_DMARC_FAIL Authentication-Results =~ /mail\.example\.nl; dmarc=fail/
|
||||||
|
score CUST_DMARC_FAIL 5.0
|
||||||
|
|
||||||
|
#dmarc pass
|
||||||
|
header CUST_DMARC_PASS Authentication-Results =~ /mail\.example\.nl; dmarc=pass/
|
||||||
|
score CUST_DMARC_PASS -1.0
|
||||||
|
```
|
||||||
|
|
||||||
|
This means that when the "Authentication-Results" header of your e-mail contains "mail.example.nl; dmarc=fail" 5 points will be added to the score; instantly classifying this e-mail as SPAM. On the other hand, if the "Authentication-Results" header of your e-mail contains "mail.example.nl; dmarc=pass" -1 points will be added to the score; classifying this e-mail as legitimate.
|
||||||
|
|
||||||
# Special thanks
|
# Special thanks
|
||||||
Our infinite gratitude goes out to the following people for their support in building this how-to for DANE.
|
Our infinite gratitude goes out to the following people for their support in building this how-to for DANE.
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user