Rob's web

DMARC

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing email, email scams and other cyber threat activities.

Once the DMARC DNS entry is published, any receiving email server can authenticate the incoming email based on the instructions published by the domain owner within the DNS entry. If the email passes the authentication, it will be delivered and can be trusted. If the email fails the check, depending on the instructions held within the DMARC record the email could be delivered, quarantined or rejected.

DMARC extends two existing email authentication mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the administrative owner of a domain to publish a policy in their DNS records to specify how to check the From: field presented to end users; how the receiver should deal with failures - and provides a reporting mechanism for actions performed under those policies.

Installation

# dnf install opendmarc

Configuration

# vi /etc/opendmarc.conf
AuthservID OpenDMARC
TrustedAuthservIDs mail.yourdomain.com
IgnoreAuthenticatedClients true
# RejectFailures false
RejectFailures true
RequiredHeaders    true
#Socket local:/run/opendmarc/opendmarc.sock
Socket inet:8893@127.0.0.1
SPFIgnoreResults true
SPFSelfValidate true

By default, OpenDMARC won't reject emails that fail DMARC check, even if the domain's policy is set to p=reject. If you prefer to reject emails that fail DMARC check when the domain's policy is set to p=reject, then uncomment the line RejectFailures and change false to true.

Starting

# systemctl start opendmarc
# systemctl enable opendmarc

Configuration in your public DNS servers

A basic DMARC record looks like this:

v=DMARC1; p=none; adkim=r; aspf=r
TagDescription
vSpecifies the DMARC version. This should always be DMARC1.
pWhat to do with emails that fail both SPF and DKIM verification. There are 3 possible values that can go here:
  • none: Do nothing
  • quarantine: Flag as spam and send it over to the recipient's spam mail.
  • reject: Reject the email entirely.
aspfAlignment policy for the SPF record. This sets whether your subdomains can use the same SPF policy as your main domain.
  • s: Strict alignment; The sender's domain name must match the d= value from its domain header.
  • r: Relaxed alignment; Allows for subdomain matches of the d= value from its domain header.
adkimAlignment policy for the DKIM record. This sets whether subdomains can use the same DKIM policy as your main domain.
  • s: Strict alignment; The sender's domain name must match the d= value from its domain header.
  • r: Relaxed alignment; Allows for subdomain matches of the d= value from its domain header.
ruaReporting URI of aggregate reports: rua=mailto:aggrep@example.com
rufReporting URI for forensic reports: ruf=mailto:authfail@example.com

The example record we gave earlier is a relaxed DMARC - it tells mail servers to do nothing if emails fail both SPF and DKIM verifications. At the very least, you will want to increase p to quarantine (label emails that fail verification as spam), though you can also outright reject these emails:

v=DMARC1; p=reject; adkim=r; aspf=r

If you want to be notified of emails that fail verification on your domain, you can add a valid email address under the rua tag.

v=DMARC1; p=reject; adkim=r; aspf=r; rua=mailto:yourname@yourdomain.com ruf=mailto:yourname@yourdomain.com

This will cause other mail servers to notify you when they receive emails that are spoofing as your domain.

Configuration in your local DNS server

After you add the record to your public DNS you need to do the same on your local DNS.

Testing DMARC

After you added _dmarc to you public DNS you can test if it works. Go to DMARC Check.

Linking dmarc to postfix

Now you just need to add the OpenDMARC socket so that Postfix can talk to OpenDMARC. (Make sure it's after the OpenDKIM socket.) OpenDMARC listens on 127.0.0.1:8893.

# cd /etc/postfix
# vi main.cf

# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893
non_smtpd_milters = $smtpd_milters
# systemctl restart postfix

Links