Domain-based Message Authentication, Reporting and Conformance (DMARC) is a policy for mail transfer, which is already supported by some common mail providers. It depends on SPF and DKIM. DMARC provides and a policy for outgoing mail and checks incoming mails for compliance with that policy. The policy is published via a DNS TXT record. It is explained in #DMARC Record. Validation is done in a daemon. Its configuration is explained in #Security[broken link: invalid section]. For more info see the IETF draft.
Install the package.
Main configuration file is
Change the following options:
Add the socket directory and set its credentials to be accessible to the STMP server user (likely
# mkdir /run/opendmarc # chown opendmarc:postfix /run/opendmarc
Add the following lines to
non_smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock
Make sure that the DMARC milter is declared after the DKIM milter.
To enable DMARC for your website, you have to add a new TXT record to your websites DNS server. An example subdomain record like this:
_dmarc.example.com TXT v=DMARC1; p=quarantine; pct=20; adkim=s; aspf=r; fo=1; rua=mailto:firstname.lastname@example.org; ruf=mailto:email@example.com;
DMARC options in detail
|pct||Percentage of messages subjected to filtering||pct=20|
|ruf||Reporting URI for forensic reports||ruf=mailto:firstname.lastname@example.org|
|rua||Reporting URI of aggregate reports||rua=mailto:email@example.com|
|p||Policy for organizational domain||p=quarantine|
|sp||Policy for subdomains of the||sp=reject|
|adkim||Alignment mode for DKIM||adkim=s|
|aspf||Alignment mode for SPF||aspf=r|
|fo||Forensic report options||fo=1|
|rf||Reporting format. either afrf or iodef||rf=afrf|
|ri||Reporting interval of aggregate reports. Often disregarded||ri=86400|
The alignment modes for DKIM and SPF can be:
- "s" for strict
- "r" for relaxed
where the latter allows a subdomain in the "From" header while the former does not.
The domain policy (p) and subdomain policy (sp) might be one of:
- "none" (for monitor mode)
The forensic report options are:
- "0" to generate reports if all underlying authentication mechanisms fail to produce a DMARC pass result
- "1" to generate reports if any mechanisms fail
- "d" to generate report if the DKIM signature failed to verify
- "s" if SPF failed.