Difference between revisions of "DMARC"
| Line 47: | Line 47: | ||
| <code>none</code> || no specific action | | <code>none</code> || no specific action | ||
|- | |- | ||
| − | | <code>quarantine</code> || treat all failed messages as suspicious | + | | <code>quarantine</code> || treat all failed messages as suspicious<br>receiver can decide how to handle |
|- | |- | ||
| − | | <code>reject</code> || reject all failed messages | + | | <code>reject</code> || reject all failed messages<br>preferably during the SMTP transaction<br>see [https://datatracker.ietf.org/doc/html/rfc7489#section-10.3 Section 10.3] |
|} | |} | ||
| Line 56: | Line 56: | ||
| '''pct''' | | '''pct''' | ||
| <code>0</code> to <code>100</code>, default = <code>100</code> | | <code>0</code> to <code>100</code>, default = <code>100</code> | ||
| − | | % of domain's messages subject to policy | + | | % of domain's messages subject to policy |
| + | * except reports, which are always 100% | ||
| + | * see [https://datatracker.ietf.org/doc/html/rfc7489#section-6.6.4 Section 6.6.4] | ||
| + | |- | ||
| + | | '''rf''' | ||
| + | | {{arg|list of one or more [https://datatracker.ietf.org/doc/html/rfc7489#section-11.5 report formats]}} | ||
| + | | Format to be used for message-specific failure reports | ||
| + | * colon-separated | ||
| + | * default is "<code>afrf</code>" | ||
| + | |- | ||
| + | | '''ri''' | ||
| + | | {{arg|number of seconds}} | ||
| + | | maximum interval between aggregate reports; default is 86400 | ||
| + | |- | ||
| + | | '''rua''' | ||
| + | | {{arg|one or more email addresses}} | ||
| + | | addresses (DMARC URIs) to which aggregate reports are to be sent | ||
| + | * comma-separated list | ||
| + | * the [https://datatracker.ietf.org/doc/html/rfc7489#section-6.4 definition] of [[/URI|DMARC URI]] is very obtuse, but "mailto:{{arg|email address}}" seems to work" | ||
|} | |} | ||
''documentation in progress'' | ''documentation in progress'' | ||
Revision as of 14:34, 15 August 2022
|
Domain-based Message Authentication, Reporting and Conformance (DMARC)
|
About
Configuring DMARC for any given domain requires only a DNS entry for that domain, containing machine-readable instructions for any message recipient to automatically authenticate an incoming message. The server receiving any message can check the "from" domain's DNS for a DMARC record. If one is found, the message will be accepted only if it passes the requirements.
The DMARC DNS entry for a given domain uses a "_DMARC" subdomain (_DMARC.<domain>). The explanation of the DNS record contents seems to begin in section 6.3 of RFC-7489.
Tags
| tag | values | description | ||||||
|---|---|---|---|---|---|---|---|---|
| adkim |
|
how closely to check DKIM configuration ("alignment") | ||||||
| aspf |
|
how closely to check SPF configuration ("alignment") | ||||||
| fo | failure [reporting] options | |||||||
| p |
|
Requested Mail Receiver policy | ||||||
| pct | 0 to 100, default = 100
|
% of domain's messages subject to policy
| ||||||
| rf | <list of one or more report formats> | Format to be used for message-specific failure reports
| ||||||
| ri | <number of seconds> | maximum interval between aggregate reports; default is 86400 | ||||||
| rua | <one or more email addresses> | addresses (DMARC URIs) to which aggregate reports are to be sent
|
documentation in progress
In Practice
It appears that some large email services (such as GMail) may reject messages if DMARC is not configured in a way they deem suitable; as far as I know, this is not officially documented anywhere (security by obscurity), and proper configuration can only be determined by experimentation.
Notes
For some reason, DigitalOcean apparently does not support wildcards in TXT DNS records, so you can't set up a wildcard DMARC recipient.