Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing email, email scams and other cyber threat activities.
Once the DMARC DNS entry is published, any receiving email server can authenticate the incoming email based on the instructions published by the domain owner within the DNS entry. If the email passes the authentication, it will be delivered and can be trusted. If the email fails the check, depending on the instructions held within the DMARC record the email could be delivered, quarantined or rejected.
DMARC extends two existing email authentication mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the administrative owner of a domain to publish a policy in their DNS records to specify how to check the From: field presented to end users; how the receiver should deal with failures - and provides a reporting mechanism for actions performed under those policies.
# dnf install opendmarc
# vi /etc/opendmarc.conf AuthservID OpenDMARC TrustedAuthservIDs mail.yourdomain.com IgnoreAuthenticatedClients true # RejectFailures false RejectFailures true RequiredHeaders true #Socket local:/run/opendmarc/opendmarc.sock Socket inet:8893@127.0.0.1 SPFIgnoreResults true SPFSelfValidate true
By default, OpenDMARC won't reject emails that fail DMARC check, even if the domain's policy is set to p=reject. If you prefer to reject emails that fail DMARC check when the domain's policy is set to p=reject, then uncomment the line RejectFailures and change false to true.
# systemctl start opendmarc # systemctl enable opendmarc
A basic DMARC record looks like this:
v=DMARC1; p=none; adkim=r; aspf=r
| Tag | Description |
|---|---|
| v | Specifies the DMARC version. This should always be DMARC1. |
| p | What to do with emails that fail both SPF and DKIM verification. There are 3 possible values that can go here:
|
| aspf | Alignment policy for the SPF record. This sets whether your subdomains can use the same SPF policy as your main domain.
|
| adkim | Alignment policy for the DKIM record. This sets whether subdomains can use the same DKIM policy as your main domain.
|
| rua | Reporting URI of aggregate reports: rua=mailto:aggrep@example.com |
| ruf | Reporting URI for forensic reports: ruf=mailto:authfail@example.com |
The example record we gave earlier is a relaxed DMARC - it tells mail servers to do nothing if emails fail both SPF and DKIM verifications. At the very least, you will want to increase p to quarantine (label emails that fail verification as spam), though you can also outright reject these emails:
v=DMARC1; p=reject; adkim=r; aspf=r
If you want to be notified of emails that fail verification on your domain, you can add a valid email address under the rua tag.
v=DMARC1; p=reject; adkim=r; aspf=r; rua=mailto:yourname@yourdomain.com ruf=mailto:yourname@yourdomain.com
This will cause other mail servers to notify you when they receive emails that are spoofing as your domain.
After you add the record to your public DNS you need to do the same on your local DNS.
After you added _dmarc to you public DNS you can test if it works. Go to DMARC Check.
Now you just need to add the OpenDMARC socket so that Postfix can talk to OpenDMARC. (Make sure it's after the OpenDKIM socket.) OpenDMARC listens on 127.0.0.1:8893.
# cd /etc/postfix # vi main.cf # Milter configuration milter_default_action = accept milter_protocol = 6 smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893 non_smtpd_milters = $smtpd_milters # systemctl restart postfix