User:Paul/sandbox/Install DMARC

From Wiki
Jump to navigation Jump to search

WARNING: This article is in a user sandbox, indicating it is a rough draft, and as such, is likely incomplete, contains buggy and insecure configurations, and is subject to substantial and frequent changes.

Most of the commands in this article require root privileges:

username@servername:~$ sudo -i

Install and configure OpenDMARC

root@servername:~# aptitude install opendmarc
root@servername:~# mkdir /var/spool/postfix/opendmarc/
root@servername:~# chown opendmarc:opendmarc /var/spool/postfix/opendmarc
root@servername:~# chmod 750 /var/spool/postfix/opendmarc
root@servername:~# nano /etc/opendmarc.conf

Below # Socket inet:8893@localhost, add:

Socket unix:/var/spool/postfix/opendmarc/opendmarc.sock

Uncomment and change:

UserID opendmarc:opendmarc

Add user postfix to group opendmarc:

rooth@servername:~# adduser postfix opendmarc

DMARC DNS records

Understanding DMARC

Before setting the DMARC records, it is good to understand the various functions. OpenDMARC (or any DMARC server tool) looks at SPF and DKIM record test results, checks the DMARC record for the domain (everything after the @ symbol in the email address) listed in what is referred to as the Header:From field (the email address that appears in most MUAs as being the one that originated the email), then makes a course of action based on the record and settings in OpenDMARC.

Setting DMARC DNS record

The DMARC DNS record is what tells mail servers what to do with records that fail DMARC tests.

The KTS DMARC Assistant is a great tool for creating a new record. The first setting, 'Domain', is self explanatory. The 'Requested policy type' is what to do if an email fails the DMARC test. Choosing 'reject' will tell other servers not to receive the email at all. The 'Aggregate Data Reporting Address' is an email address that the mail server will send reports of all emails that failed the test during the reporting interval. Note that if the reporting address domain is different from the 'Domain', it will be necessary to add a DMARC record to the email address in the reporting domain (this record will also be generated by the tool). The 'Forensic Data Reporting Address' is used to receive emails with detailed information on every failure a server experiences. It is not advised to use this option as it leaves the server vulnerable to DDoS attack, or at the very least, a lot of emails if spammers and such are masquerading as the domain.

he email address,, can be set to forward to in Postfix Admin.

A major issue with setting p=reject is the impact this setting has on mailing list servers, as it will have the effect of preventing emails sent to the list from being received by list members who use servers which fully support the DMARC standard, which is to say, nearly all of the major players in email. Most mailing list admins should have dealt with this by now since Yahoo! set p=reject for their DMARC record in April of 2014.

Next step

Install SpamAssassin

External links

KTS DMARC Assistant