May
18
2016
dmarc

Domain-based Message Authentication, Reporting and Conformance

What is dmarc in a nutshell:


An authentication Protocol that combines SPF & DKIM to reduce spoofed emails.
Depends on DNS so DANE would be great here!

notes on centos6:

You need to already have implemented SPF & DKIM

Outgoing Mail Servers

DNS

in your zone file, add something like this:


_dmarc    IN  TXT "v=DMARC1; p=none; rua=mailto:postmaster@example.org"

increase the serial number of the zone and check it:



# dig +short txt _dmarc.example.org
"v=DMARC1; p=none; rua=mailto:postmaster@example.org"

dmarc tags

DMARC requires only two tags.


v: version
p: policy

version

Version is DMARC1 for the time being

policy


p=none
p=quarantine
p=reject

We start from policy=none and trying to investigate mail logs

reports

rua declares where the mail servers will send the reports regarding dmarc failures.

Incoming Mail Servers

installation



# yum search opendmarc

# yum -y install opendmarc.x86_64

check process:



# netstat -ntlp|grep dmarc
tcp    0    0 127.0.0.1:8893    0.0.0.0:*    LISTEN    14538/opendmarc     

postfix

Add another milter:



# opendkim & opendmarc
non_smtpd_milters=inet:127.0.0.1:8891,inet:127.0.0.1:8893
smtpd_milters=inet:127.0.0.1:8891,inet:127.0.0.1:8893

configuration


# grep -Ev '#|^$' /etc/opendmarc.conf 

Socket inet:8893@localhost
SoftwareHeader true
SPFIgnoreResults true
SPFSelfValidate true
Syslog true
UMask 007
UserID opendmarc:mail

AuthservID example.org
MilterDebug 1

service



# /etc/init.d/opendmarc restart

# chkconfig opendmarc on

DMARC Inspector

dmarcian

Tag(s): DMARC