Difference between revisions of "DMARC"
Jump to navigation
Jump to search
m |
|||
| (6 intermediate revisions by the same user not shown) | |||
| Line 7: | Line 7: | ||
[[category:anti-spam]] | [[category:anti-spam]] | ||
[[category:SMTP]] | [[category:SMTP]] | ||
| + | [[category:email/server/configuration]] | ||
</hide> | </hide> | ||
| − | {{fmt/title|Domain-based Message Authentication, Reporting and Conformance | + | {{fmt/title|DMARC: Domain-based Message Authentication, Reporting and Conformance}} |
==About== | ==About== | ||
Configuring [[DMARC]] for any given domain requires only a DNS entry for that domain, containing machine-readable instructions for any message recipient to automatically authenticate an incoming message. The server receiving any message can check the "from" domain's DNS for a DMARC record. If one is found, the message will be accepted only if it passes the requirements. | Configuring [[DMARC]] for any given domain requires only a DNS entry for that domain, containing machine-readable instructions for any message recipient to automatically authenticate an incoming message. The server receiving any message can check the "from" domain's DNS for a DMARC record. If one is found, the message will be accepted only if it passes the requirements. | ||
| Line 15: | Line 16: | ||
===Tags=== | ===Tags=== | ||
{| class="wikitable" | {| class="wikitable" | ||
| − | ! tag !! values !! description | + | ! tag !! req? !! values !! description |
|- | |- | ||
| '''adkim''' | | '''adkim''' | ||
| + | | n | ||
|<poem> | |<poem> | ||
<code>s</code>: strict | <code>s</code>: strict | ||
| Line 25: | Line 27: | ||
|- | |- | ||
| '''aspf''' | | '''aspf''' | ||
| + | | n | ||
|<poem> | |<poem> | ||
<code>s</code>: strict | <code>s</code>: strict | ||
| Line 32: | Line 35: | ||
|- | |- | ||
| '''fo''' | | '''fo''' | ||
| + | | n | ||
|<poem> | |<poem> | ||
<code>0</code>: report DMARC failure if '''all''' underlying auths don't align | <code>0</code>: report DMARC failure if '''all''' underlying auths don't align | ||
| Line 41: | Line 45: | ||
|- | |- | ||
| '''p''' | | '''p''' | ||
| + | | YES | ||
| | | | ||
| Line 55: | Line 60: | ||
|- | |- | ||
| '''pct''' | | '''pct''' | ||
| + | | n | ||
| <code>0</code> to <code>100</code>, default = <code>100</code> | | <code>0</code> to <code>100</code>, default = <code>100</code> | ||
| % of domain's messages subject to policy | | % of domain's messages subject to policy | ||
| Line 61: | Line 67: | ||
|- | |- | ||
| '''rf''' | | '''rf''' | ||
| + | | n | ||
| {{arg|list of one or more [https://datatracker.ietf.org/doc/html/rfc7489#section-11.5 report formats]}} | | {{arg|list of one or more [https://datatracker.ietf.org/doc/html/rfc7489#section-11.5 report formats]}} | ||
| Format to be used for message-specific failure reports | | Format to be used for message-specific failure reports | ||
| Line 67: | Line 74: | ||
|- | |- | ||
| '''ri''' | | '''ri''' | ||
| + | | n | ||
| {{arg|number of seconds}} | | {{arg|number of seconds}} | ||
| maximum interval between aggregate reports; default is 86400 | | maximum interval between aggregate reports; default is 86400 | ||
|- | |- | ||
| '''rua''' | | '''rua''' | ||
| − | | {{arg|one or more email addresses}} | + | | n |
| − | | addresses (DMARC | + | | {{arg|one or more email addresses, comma-separated}} |
| − | + | | addresses ([[DMARC URI]]s) to which aggregate reports are to be sent | |
| − | + | |- | |
| + | | '''ruf''' | ||
| + | | n | ||
| + | | {{arg|one or more email addresses, comma-separated}} | ||
| + | | addresses ([[DMARC URI]]s) to which message-specific failure information is to be sent | ||
| + | |- | ||
| + | | '''sp''' | ||
| + | | n | ||
| + | | (same as '''p'''; optional) | ||
| + | | Requested Mail Receiver policy for all subdomains; defaults to value of '''p''' | ||
| + | |- | ||
| + | | '''v''' | ||
| + | | YES | ||
| + | | <code>DMARC1</code> | ||
| + | | Version - identifies the record retrieved as a valid DMARC record. Must be the first tag. | ||
|} | |} | ||
''documentation in progress'' | ''documentation in progress'' | ||
| Line 80: | Line 102: | ||
It appears that some large email services (such as GMail) may reject messages if DMARC is not configured in a way they deem suitable; as far as I know, this is not officially documented anywhere (security by obscurity), and proper configuration can only be determined by experimentation. | It appears that some large email services (such as GMail) may reject messages if DMARC is not configured in a way they deem suitable; as far as I know, this is not officially documented anywhere (security by obscurity), and proper configuration can only be determined by experimentation. | ||
==Notes== | ==Notes== | ||
| − | |||
| − | |||
For some reason, [[DigitalOcean]] [https://docs.digitalocean.com/products/networking/dns/how-to/manage-records/ apparently] does not support wildcards in TXT DNS records, so you can't set up a wildcard DMARC recipient. | For some reason, [[DigitalOcean]] [https://docs.digitalocean.com/products/networking/dns/how-to/manage-records/ apparently] does not support wildcards in TXT DNS records, so you can't set up a wildcard DMARC recipient. | ||
==Links== | ==Links== | ||
| + | ===Reference=== | ||
* {{wikipedia}} | * {{wikipedia}} | ||
| + | * [https://datatracker.ietf.org/doc/html/rfc7489 RFC 7489] | ||
| + | * [https://mxtoolbox.com/problem/dmarc MxToolBox Problem Knowledge Base] | ||
| + | ===Posts=== | ||
| + | * '''2014-04-07''' [https://mailarchive.ietf.org/arch/msg/ietf/J-IsfA0Lb-6T_NeMD1ENKZyb9tA/ Yahoo breaks every mailing list in the world including the IETF's]: a problem with how DMARC is designed | ||
Latest revision as of 20:27, 21 December 2022
|
DMARC: Domain-based Message Authentication, Reporting and Conformance
|
About
Configuring DMARC for any given domain requires only a DNS entry for that domain, containing machine-readable instructions for any message recipient to automatically authenticate an incoming message. The server receiving any message can check the "from" domain's DNS for a DMARC record. If one is found, the message will be accepted only if it passes the requirements.
The DMARC DNS entry for a given domain uses a "_DMARC" subdomain (_DMARC.<domain>). The explanation of the DNS record contents seems to begin in section 6.3 of RFC-7489.
Tags
| tag | req? | values | description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| adkim | n |
|
how closely to check DKIM configuration ("alignment") | ||||||
| aspf | n |
|
how closely to check SPF configuration ("alignment") | ||||||
| fo | n | failure [reporting] options | |||||||
| p | YES |
|
Requested Mail Receiver policy | ||||||
| pct | n | 0 to 100, default = 100
|
% of domain's messages subject to policy
| ||||||
| rf | n | <list of one or more report formats> | Format to be used for message-specific failure reports
| ||||||
| ri | n | <number of seconds> | maximum interval between aggregate reports; default is 86400 | ||||||
| rua | n | <one or more email addresses, comma-separated> | addresses (DMARC URIs) to which aggregate reports are to be sent | ||||||
| ruf | n | <one or more email addresses, comma-separated> | addresses (DMARC URIs) to which message-specific failure information is to be sent | ||||||
| sp | n | (same as p; optional) | Requested Mail Receiver policy for all subdomains; defaults to value of p | ||||||
| v | YES | DMARC1
|
Version - identifies the record retrieved as a valid DMARC record. Must be the first tag. |
documentation in progress
In Practice
It appears that some large email services (such as GMail) may reject messages if DMARC is not configured in a way they deem suitable; as far as I know, this is not officially documented anywhere (security by obscurity), and proper configuration can only be determined by experimentation.
Notes
For some reason, DigitalOcean apparently does not support wildcards in TXT DNS records, so you can't set up a wildcard DMARC recipient.
Links
Reference
Posts
- 2014-04-07 Yahoo breaks every mailing list in the world including the IETF's: a problem with how DMARC is designed