Difference between revisions of "DMARC"

from HTYP, the free directory anyone can edit if they can prove to me that they're not a spambot
Jump to navigation Jump to search
Line 9: Line 9:
 
</hide>
 
</hide>
 
{{fmt/title|Domain-based Message Authentication, Reporting and Conformance (DMARC)}}
 
{{fmt/title|Domain-based Message Authentication, Reporting and Conformance (DMARC)}}
 +
==About==
 +
Configuring [[DMARC]] for any given domain requires only a DNS entry for that domain, containing machine-readable instructions for any message recipient to automatically authenticate an incoming message. The server receiving any message can check the "from" domain's DNS for a DMARC record. If one is found, the message will be accepted only if it passes the requirements.
 +
 +
The DMARC DNS entry for a given domain uses a "_DMARC" subdomain (<code>_DMARC.{{arg|domain}}</code>). The explanation of the DNS record contents seems to begin in [https://datatracker.ietf.org/doc/html/rfc7489#section-6.3 section 6.3] of RFC-7489.
 +
===Tags===
 +
* '''adkim''': s (strict) or r (relaxed) -- how closely to check DKIM configuration ("alignment")
 +
* '''aspf''':  s (strict) or r (relaxed) -- how closely to check SPF configuration ("alignment")
 +
 +
''documentation in progress''
 +
==In Practice==
 +
It appears that some large email services (such as GMail) may reject messages if DMARC is not configured in a way they deem suitable; as far as I know, this is not officially documented anywhere (security by obscurity), and proper configuration can only be determined by experimentation.
 
==Notes==
 
==Notes==
 
* [https://mxtoolbox.com/problem/dmarc/dmarc-external-validation DMARC External Validation]
 
* [https://mxtoolbox.com/problem/dmarc/dmarc-external-validation DMARC External Validation]

Revision as of 13:25, 14 August 2022

Domain-based Message Authentication, Reporting and Conformance (DMARC)

About

Configuring DMARC for any given domain requires only a DNS entry for that domain, containing machine-readable instructions for any message recipient to automatically authenticate an incoming message. The server receiving any message can check the "from" domain's DNS for a DMARC record. If one is found, the message will be accepted only if it passes the requirements.

The DMARC DNS entry for a given domain uses a "_DMARC" subdomain (_DMARC.<domain>). The explanation of the DNS record contents seems to begin in section 6.3 of RFC-7489.

Tags

  • adkim: s (strict) or r (relaxed) -- how closely to check DKIM configuration ("alignment")
  • aspf: s (strict) or r (relaxed) -- how closely to check SPF configuration ("alignment")

documentation in progress

In Practice

It appears that some large email services (such as GMail) may reject messages if DMARC is not configured in a way they deem suitable; as far as I know, this is not officially documented anywhere (security by obscurity), and proper configuration can only be determined by experimentation.

Notes

For some reason, DigitalOcean apparently does not support wildcards in TXT DNS records, so you can't set up a wildcard DMARC recipient.

Links