OpenDMARC
Domain-based Message Authentication, Reporting and Conformance (DMARC) is a policy for mail transfer, which is already supported by some common mail providers. It depends on SPF and DKIM. DMARC provides and a policy for outgoing mail and checks incoming mails for compliance with that policy. The policy is published via a DNS TXT record. It is explained in section Record. Validation is done in a daemon. Its configuration is explained in section Validator. For more info see the draft.
Contents
Record
An example Record looks like this: v=DMARC1;p=quarantine;pct=100;rua=mailto:postmaster@example.org;ruf=mailto:forensik@example.org;adkim=s;aspf=r
.
It is entered as TXT record on the _dmarc
-Subdomain of your domain.
Tag Name | Purpose | Sample |
---|---|---|
v | Protocol version | v=DMARC1 |
pct | Percentage of messages subjected to filtering | pct=20 |
ruf | Reporting URI for forensic reports | ruf=mailto:authfail@example.com |
rua | Reporting URI of aggregate reports | rua=mailto:aggrep@example.com |
p | Policy for organizational domain | p=quarantine |
sp | Policy for subdomains of the | sp=reject |
adkim | Alignment mode for DKIM | adkim=s |
aspf | Alignment mode for SPF | aspf=r |
fo | Forensic report options | fo=1 |
rf | Reporting format. either afrf or iodef | rf=afrf |
ri | Reporting interval of aggregate reports. Often disregarded | ri=86400 |
The alignment modes for DKIM and SPF can be s for strict and r for relaxed, where the latter allows a subdomain in the From header while the former does not.
The policies for domain (p) and subdomain might be one of monitor
, quarantine
or reject
.
The forensic report option are "0" to generate reports if all underlying authentication mechanisms fail to produce a DMARC pass result, "1" to generate reports if any mechanisms fail, "d" to generate report if DKIM signature failed to verify, "s" if SPF failed.
Validator
Installation
Install the package opendmarc.
Basic configuration
Main configuration file is /etc/opendmarc/opendmarc.conf
- Copy/move the sample configuration file
/etc/opendmarc/opendmarc.conf.sample
to/etc/opendmarc/opendmarc.conf
and change the following options:
/etc/opendmarc/opendmarc.conf
Socket unix:/run/opendmarc/dmarc.sock UserID opendmarc
If you want to run your DMARC-Validator on a different machine, you should change the Socket field to inet:9999@10.0.0.4
with a sample host listening at at port 9999 for an optional client 10.0.0.4 (can be omitted, listens on 0.0.0.0 then).
- Enable and start the
opendmarc.service
. Read Daemons for more information.
Postfix integration
Add the following lines to main.cf
:
non_smtpd_milters = unix:/run/opendkim/dkim.sock, unix:/run/opendmarc/dmarc.sock smtpd_milters = unix:/run/opendkim/dkim.sock, unix:/run/opendmarc/dmarc.sock
and make sure, that you DMARC is after DKIM milter.
Security
The daemon can drop privileges on its on, as configured above with the UserID
. As the daemon does not need root privileges, it can be started with the right user as well.
To accomplish that, use the following systemd unit file. The UserID
statement should then be commented out of the config.
/etc/systemd/system/opendmarc.service
[Unit] Description=OpenDMARC daemon After=network.target remote-fs.target nss-lookup.target [Service] Type=forking User=opendmarc Group=postfix ExecStart=/usr/bin/opendmarc -c /etc/opendkim/opendmarc.conf [Install] WantedBy=multi-user.target