Difference between revisions of "DMARC"

from HTYP, the free directory anyone can edit if they can prove to me that they're not a spambot
Jump to navigation Jump to search
(Created page with "==Notes== * [https://mxtoolbox.com/problem/dmarc/dmarc-external-validation DMARC External Validation] For some reason, DigitalOcean does not support wildcards in TXT DNS...")
 
m
 
(12 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
<hide>
 +
[[page type::article]]
 +
[[thing type::protocol]]
 +
[[purpose::anti-spam]]
 +
[[applies to::email]]
 +
[[category:acronym]]
 +
[[category:anti-spam]]
 +
[[category:SMTP]]
 +
[[category:email/server/configuration]]
 +
</hide>
 +
{{fmt/title|DMARC: Domain-based Message Authentication, Reporting and Conformance}}
 +
==About==
 +
Configuring [[DMARC]] for any given domain requires only a DNS entry for that domain, containing machine-readable instructions for any message recipient to automatically authenticate an incoming message. The server receiving any message can check the "from" domain's DNS for a DMARC record. If one is found, the message will be accepted only if it passes the requirements.
 +
 +
The DMARC DNS entry for a given domain uses a "_DMARC" subdomain (<code>_DMARC.{{arg|domain}}</code>). The explanation of the DNS record contents seems to begin in [https://datatracker.ietf.org/doc/html/rfc7489#section-6.3 section 6.3] of RFC-7489.
 +
===Tags===
 +
{| class="wikitable"
 +
! tag !! req? !! values !! description
 +
|-
 +
| '''adkim'''
 +
| n
 +
|<poem>
 +
<code>s</code>: strict
 +
<code>r</code>: relaxed
 +
</poem>
 +
| how closely to check DKIM configuration ("alignment")
 +
|-
 +
| '''aspf'''
 +
| n
 +
|<poem>
 +
<code>s</code>: strict
 +
<code>r</code>: relaxed
 +
</poem>
 +
| how closely to check SPF configuration ("alignment")
 +
|-
 +
| '''fo'''
 +
| n
 +
|<poem>
 +
<code>0</code>: report DMARC failure if '''all''' underlying auths don't align
 +
<code>1</code>: report DMARC failure if '''any''' underlying auths don't align
 +
<code>d</code>: report DKIM failure if DKIM signature fails, regardless of alignment (see [https://datatracker.ietf.org/doc/html/rfc7489#ref-AFRF-DKIM AFRF-DKIM])
 +
<code>s</code>: report SPF failure if SPF evaluation fails, regardless of alignment (see [https://datatracker.ietf.org/doc/html/rfc7489#ref-AFRF-SPF AFRF-SPF])
 +
</poem>
 +
| failure [reporting] options
 +
|-
 +
| '''p'''
 +
| YES
 +
|
 +
 +
{| class="wikitable"
 +
|-
 +
| <code>none</code> || no specific action
 +
|-
 +
| <code>quarantine</code> || treat all failed messages as suspicious<br>receiver can decide how to handle
 +
|-
 +
| <code>reject</code> || reject all failed messages<br>preferably during the SMTP transaction<br>see [https://datatracker.ietf.org/doc/html/rfc7489#section-10.3 Section 10.3]
 +
|}
 +
 +
| Requested Mail Receiver policy
 +
|-
 +
| '''pct'''
 +
| n
 +
| <code>0</code> to <code>100</code>, default = <code>100</code>
 +
| % of domain's messages subject to policy
 +
* except reports, which are always 100%
 +
* see [https://datatracker.ietf.org/doc/html/rfc7489#section-6.6.4 Section 6.6.4]
 +
|-
 +
| '''rf'''
 +
| n
 +
| {{arg|list of one or more [https://datatracker.ietf.org/doc/html/rfc7489#section-11.5 report formats]}}
 +
| Format to be used for message-specific failure reports
 +
* colon-separated
 +
* default is "<code>afrf</code>"
 +
|-
 +
| '''ri'''
 +
| n
 +
| {{arg|number of seconds}}
 +
| maximum interval between aggregate reports; default is 86400
 +
|-
 +
| '''rua'''
 +
| n
 +
| {{arg|one or more email addresses, comma-separated}}
 +
| addresses ([[DMARC URI]]s) to which aggregate reports are to be sent
 +
|-
 +
| '''ruf'''
 +
| n
 +
| {{arg|one or more email addresses, comma-separated}}
 +
| addresses ([[DMARC URI]]s) to which message-specific failure information is to be sent
 +
|-
 +
| '''sp'''
 +
| n
 +
| (same as '''p'''; optional)
 +
| Requested Mail Receiver policy for all subdomains; defaults to value of '''p'''
 +
|-
 +
| '''v'''
 +
| YES
 +
| <code>DMARC1</code>
 +
| Version - identifies the record retrieved as a valid DMARC record. Must be the first tag.
 +
|}
 +
''documentation in progress''
 +
==In Practice==
 +
It appears that some large email services (such as GMail) may reject messages if DMARC is not configured in a way they deem suitable; as far as I know, this is not officially documented anywhere (security by obscurity), and proper configuration can only be determined by experimentation.
 
==Notes==
 
==Notes==
* [https://mxtoolbox.com/problem/dmarc/dmarc-external-validation DMARC External Validation]
+
For some reason, [[DigitalOcean]] [https://docs.digitalocean.com/products/networking/dns/how-to/manage-records/ apparently] does not support wildcards in TXT DNS records, so you can't set up a wildcard DMARC recipient.
 
+
==Links==
For some reason, [[DigitalOcean]] does not support wildcards in TXT DNS records, so you can't set up a wildcard DMARC recipient.
+
===Reference===
 +
* {{wikipedia}}
 +
* [https://datatracker.ietf.org/doc/html/rfc7489 RFC 7489]
 +
* [https://mxtoolbox.com/problem/dmarc MxToolBox Problem Knowledge Base]
 +
===Posts===
 +
* '''2014-04-07''' [https://mailarchive.ietf.org/arch/msg/ietf/J-IsfA0Lb-6T_NeMD1ENKZyb9tA/ Yahoo breaks every mailing list in the world including the IETF's]: a problem with how DMARC is designed

Latest revision as of 20:27, 21 December 2022

DMARC: Domain-based Message Authentication, Reporting and Conformance

About

Configuring DMARC for any given domain requires only a DNS entry for that domain, containing machine-readable instructions for any message recipient to automatically authenticate an incoming message. The server receiving any message can check the "from" domain's DNS for a DMARC record. If one is found, the message will be accepted only if it passes the requirements.

The DMARC DNS entry for a given domain uses a "_DMARC" subdomain (_DMARC.<domain>). The explanation of the DNS record contents seems to begin in section 6.3 of RFC-7489.

Tags

tag req? values description
adkim n

s: strict
r: relaxed

how closely to check DKIM configuration ("alignment")
aspf n

s: strict
r: relaxed

how closely to check SPF configuration ("alignment")
fo n

0: report DMARC failure if all underlying auths don't align
1: report DMARC failure if any underlying auths don't align
d: report DKIM failure if DKIM signature fails, regardless of alignment (see AFRF-DKIM)
s: report SPF failure if SPF evaluation fails, regardless of alignment (see AFRF-SPF)

failure [reporting] options
p YES
none no specific action
quarantine treat all failed messages as suspicious
receiver can decide how to handle
reject reject all failed messages
preferably during the SMTP transaction
see Section 10.3
Requested Mail Receiver policy
pct n 0 to 100, default = 100 % of domain's messages subject to policy
rf n <list of one or more report formats> Format to be used for message-specific failure reports
  • colon-separated
  • default is "afrf"
ri n <number of seconds> maximum interval between aggregate reports; default is 86400
rua n <one or more email addresses, comma-separated> addresses (DMARC URIs) to which aggregate reports are to be sent
ruf n <one or more email addresses, comma-separated> addresses (DMARC URIs) to which message-specific failure information is to be sent
sp n (same as p; optional) Requested Mail Receiver policy for all subdomains; defaults to value of p
v YES DMARC1 Version - identifies the record retrieved as a valid DMARC record. Must be the first tag.

documentation in progress

In Practice

It appears that some large email services (such as GMail) may reject messages if DMARC is not configured in a way they deem suitable; as far as I know, this is not officially documented anywhere (security by obscurity), and proper configuration can only be determined by experimentation.

Notes

For some reason, DigitalOcean apparently does not support wildcards in TXT DNS records, so you can't set up a wildcard DMARC recipient.

Links

Reference

Posts

Retrieved from "https://htyp.org/mw/index.php?title=DMARC&oldid=28785"