OpenDMARC

Domain-based Message Authentication, Reporting and Conformance (DMARC) is a policy for mail transfer, which is already supported by some common mail providers. It depends on SPF and DKIM. DMARC provides and a policy for outgoing mail and checks incoming mails for compliance with that policy. The policy is published via a DNS TXT record. It is explained in section Record. Validation is done in a daemon. Its configuration is explained in section Validator. For more info see the draft.

Record

An example Record looks like this: v=DMARC1;p=quarantine;pct=100;rua=mailto:postmaster@example.org;ruf=mailto:forensik@example.org;adkim=s;aspf=r. It is entered as TXT record on the _dmarc-Subdomain of your domain.

Tag Name Purpose Sample
v Protocol version v=DMARC1
pct Percentage of messages subjected to filtering pct=20
ruf Reporting URI for forensic reports ruf=mailto:authfail@example.com
rua Reporting URI of aggregate reports rua=mailto:aggrep@example.com
p Policy for organizational domain p=quarantine
sp Policy for subdomains of the sp=reject
adkim Alignment mode for DKIM adkim=s
aspf Alignment mode for SPF aspf=r
fo Forensic report options fo=1
rf Reporting format. either afrf or iodef rf=afrf
ri Reporting interval of aggregate reports. Often disregarded ri=86400

The alignment modes for DKIM and SPF can be s for strict and r for relaxed, where the latter allows a subdomain in the From header while the former does not. The policies for domain (p) and subdomain might be one of monitor, quarantine or reject. The forensic report option are "0" to generate reports if all underlying authentication mechanisms fail to produce a DMARC pass result, "1" to generate reports if any mechanisms fail, "d" to generate report if DKIM signature failed to verify, "s" if SPF failed.

Validator

Installation

Install the package opendmarc.

Basic configuration

Main configuration file is /etc/opendmarc/opendmarc.conf

  • Copy/move the sample configuration file /etc/opendmarc/opendmarc.conf.sample to /etc/opendmarc/opendmarc.conf and change the following options:
/etc/opendmarc/opendmarc.conf
Socket                  unix:/run/opendmarc/dmarc.sock
UserID                  opendmarc

If you want to run your DMARC-Validator on a different machine, you should change the Socket field to inet:9999@10.0.0.4 with a sample host listening at at port 9999 for an optional client 10.0.0.4 (can be omitted, listens on 0.0.0.0 then).

  • Enable and start the opendmarc.service. Read Daemons for more information.

Postfix integration

Add the following lines to main.cf:

 non_smtpd_milters = unix:/run/opendkim/dkim.sock, unix:/run/opendmarc/dmarc.sock
 smtpd_milters = unix:/run/opendkim/dkim.sock, unix:/run/opendmarc/dmarc.sock

and make sure, that you DMARC is after DKIM milter.

Security

The daemon can drop privileges on its on, as configured above with the UserID. As the daemon does not need root privileges, it can be started with the right user as well. To accomplish that, use the following systemd unit file. The UserID statement should then be commented out of the config.

/etc/systemd/system/opendmarc.service
[Unit]
Description=OpenDMARC daemon
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
User=opendmarc
Group=postfix
ExecStart=/usr/bin/opendmarc -c /etc/opendkim/opendmarc.conf

[Install]
WantedBy=multi-user.target

Weblinks