OpenDMARC
Domain-based Message Authentication, Reporting and Conformance (DMARC) is a policy for mail transfer, which is already supported by some common mail providers. It depends on SPF and DKIM. DMARC provides and a policy for outgoing mail and checks incoming mails for compliance with that policy. The policy is published via a DNS TXT record. It is explained in #Record[broken link: invalid section]. Validation is done in a daemon. Its configuration is explained in #Validator[broken link: invalid section]. For more info see the IETF draft.
Contents
Installation
Install the opendmarc package.
Configuration
Main configuration file is /etc/opendmarc/opendmarc.conf
Copy/move the sample configuration file
# cp /etc/opendmarc/opendmarc.conf.sample /etc/opendmarc/opendmarc.conf
and change the following options:
/etc/opendmarc/opendmarc.conf
Socket unix:/run/opendmarc/opendmarc.sock UserID opendmarc
Add the socket directory and set its credentials:
# mkdir /run/opendmarc # chown opendmarc:mail /run/opendmarc
Postfix integration
Add the following lines to main.cf
:
/etc/postfix/main.cf
non_smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock
Make sure that the DMARC milter is declared after the DKIM milter.
DMARC Record
To enable DMARC for your website, you have to add a new TXT record to your websites DNS server. An example subdomain record like this:
_dmarc.example.com TXT v=DMARC1; p=quarantine; pct=20; adkim=s; aspf=r; fo=1; rua=mailto:postmaster@example.com; ruf=mailto:forensic@example.com;
DMARC options in detail
Tag name | Purpose | Sample |
---|---|---|
v | Protocol version | v=DMARC1 |
pct | Percentage of messages subjected to filtering | pct=20 |
ruf | Reporting URI for forensic reports | ruf=mailto:forensic@example.com |
rua | Reporting URI of aggregate reports | rua=mailto:postmaster@example.com |
p | Policy for organizational domain | p=quarantine |
sp | Policy for subdomains of the | sp=reject |
adkim | Alignment mode for DKIM | adkim=s |
aspf | Alignment mode for SPF | aspf=r |
fo | Forensic report options | fo=1 |
rf | Reporting format. either afrf or iodef | rf=afrf |
ri | Reporting interval of aggregate reports. Often disregarded | ri=86400 |
The alignment modes for DKIM and SPF can be:
- "s" for strict
- "r" for relaxed
where the latter allows a subdomain in the "From" header while the former does not.
The domain policy (p) and subdomain policy (sp) might be one of:
- "none" (for monitor mode)
- "quarantine"
- "reject"
The forensic report options are:
- "0" to generate reports if all underlying authentication mechanisms fail to produce a DMARC pass result
- "1" to generate reports if any mechanisms fail
- "d" to generate report if the DKIM signature failed to verify
- "s" if SPF failed.
Security
The daemon can drop privileges on its own (as configured in the #Configuration section with UserID
). However, as the daemon does not need root privileges, it can be started as a non-privileged user with systemd.
To accomplish this, add a new user opendmarc
to your system:
# useradd -r -s /usr/bin/nologin opendmarc
Then use the following systemd unit file:
/etc/systemd/system/opendmarc.service
[Unit] Description=OpenDMARC daemon After=network.target remote-fs.target nss-lookup.target [Service] Type=forking User=opendmarc Group=postfix ExecStart=/usr/bin/opendmarc -c /etc/opendmarc/opendmarc.conf RuntimeDirectory=opendmarc RuntimeDirectoryMode=0750 [Install] WantedBy=multi-user.target
Additionally, comment out the "UserID" option and activate/change "Umask=002" in your opendmarc config file to allow socket creation and writing:
/etc/opendmarc/opendmarc.conf
... UMask 002 # UserID=opendmarc ...
then restart opendmarc.service
.