Qpsmtpd:dmarc

From SME Server
Revision as of 13:24, 30 July 2017 by Mmccarn (talk | contribs) (Created page with "<span id="_top">Qpsmtpd#Plugins</span> = NAME = Domain-based Message Authentication, Reporting and Conformance = SYNOPSIS = DMARC is a reliable ...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Qpsmtpd#Plugins

NAME

Domain-based Message Authentication, Reporting and Conformance

SYNOPSIS

DMARC is a reliable means to authenticate email.

DESCRIPTION

From the DMARC Draft: "DMARC operates as a policy layer atop DKIM and SPF. These technologies are the building blocks of DMARC as each is widely deployed, supported by mature tools, and is readily available to both senders and receivers. They are complementary, as each is resilient to many of the failure modes of the other."

DMARC provides a way to exchange authentication information and policies among mail servers.

DMARC benefits domain owners by preventing others from impersonating them. A domain owner can reliably tell other mail servers that "it it doesn't originate from this list of servers (SPF) and it is not signed (DKIM), then [ignore|quarantine|reject] it." DMARC also provides domain owners with a means to receive feedback and determine that their policies are working as desired.

DMARC benefits mail server operators by providing them with a more reliable (than SPF or DKIM alone) means to block forged emails. Is that message really from PayPal, Chase, Gmail, or Facebook? Since those organizations publish DMARC policies, operators have a definitive means to know.

HOWTO

Protect a domain with DMARC

See Section 10 of the draft: Domain Owner Actions

 1. Deploy DKIM & SPF
 2. Ensure identifier alignment.
 3. Publish a "monitor" record, ask for data reports
 4. Roll policies from monitor to reject

Publish a DMARC policy

_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc-feedback@example.com;%22

 v=DMARC1;    (version)
 p=none;      (disposition policy : reject, quarantine, none (monitor))
 sp=reject;   (subdomain policy: default, same as p)
 adkim=s;     (dkim alignment: s=strict, r=relaxed)
 aspf=r;      (spf  alignment: s=strict, r=relaxed)
 rua=mailto: dmarc-feedback@example.com; (aggregate reports)
 ruf=mailto: dmarc-feedback@example.com; (forensic reports)
 rf=afrf;     (report format: afrf, iodef)
 ri=8400;     (report interval)
 pct=50;      (percent of messages to filter)

Validate messages with DMARC

1. install Mail::DMARC

2. install this plugin

3. activate this plugin. (add to config/plugins, listing it after SPF & DKIM. Check that SPF and DKIM are configured to not reject mail.

CONFIGURATION =head2 reporting [ 0 | 1 ]

Default: 1

0: do not save and publish aggregate reports

1: publish reports (requires proper Mail::DMARC configuration)

MORE INFORMATION

http://www.dmarc.org/draft-dmarc-base-00-02.txt

https://github.com/smtpd/qpsmtpd/wiki/DMARC-FAQ

TODO

 reject messages with multiple From: headers

AUTHORS

 2013 - Matt Simerson <msimerson@cpan.org>