OpenDMARC is an open source implementation of the Domain-based Message Authentication, Reporting and Conformance (DMARC) specification.
DMARC is a policy for mail transfer, which is already supported by some common mail providers. It depends on Sender Policy Framework and DKIM. DMARC provides a policy for outgoing mail and checks incoming mails for compliance with that policy. The policy is published via a DNS TXT record. It is explained in #DMARC Record. Validation is done in a daemon. For more info see RFC 7489.
Install the package.
Main configuration file is
Change the following options:
Add the socket directory and set its credentials to be accessible to the STMP server user (likely
# mkdir /run/opendmarc # chown opendmarc:postfix /run/opendmarc
To have this socket directory created automatically, create the following file
D /run/opendmarc 0750 opendmarc postfix
To run the
opendmarc.service as the SMTP server user (default is
[Service] Group= Group=postfix
inet:firstname.lastname@example.org a sample host listening at port 9999 for an optional client 10.0.0.4 (can be omitted, listens on 0.0.0.0 then).
Add the following lines to
non_smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock
Make sure that the DMARC milter is declared after the DKIM milter.
To enable DMARC for your domain, you have to add a new TXT record to your DNS zone.Here is an example of a DMARC policy, processed one step after another.
First testing, no harm as (sub)policy is "none", but start to receive aggregated reports and failing reports (SPF and DKIM):
_dmarc.example.com TXT v=DMARC1; rua=mailto:email@example.com; ruf=mailto:firstname.lastname@example.org; adkim=s; fo=1
After a certain time, after analyzing these reports you can enable the policy for let us say 10% of e-mail traffic.
_dmarc.example.com TXT v=DMARC1; p=quarantine; rua=mailto:email@example.com; ruf=mailto:firstname.lastname@example.org; adkim=s; fo=1; pct=10
Then slowly raise the percentage and finalize with policy 100% enabled and only failing reports:
_dmarc.example.com TXT v=DMARC1; p=quarantine; ruf=mailto:email@example.com; adkim=s; fo=1
DMARC options in detail
All fields are OPTIONAL unless "v" which is RECOMMENDED.
|p||Policy for organizational domain (default "none")||p=quarantine|
|sp||Policy for subdomains (default value of "p" field)||sp=reject|
|rua||Reporting URI of aggregate reports||rua=mailto:firstname.lastname@example.org|
|ruf||Reporting URI for forensic reports||ruf=mailto:email@example.com|
|adkim||Alignment mode for DKIM (default "r")||adkim=s|
|aspf||Alignment mode for SPF (default "r")||aspf=r|
|ri||Reporting interval of aggregate reports (default "86400" ; often disregarded to default value)||ri=86400|
|fo||Forensic report options (default "0")||fo=1|
|rf||Reporting format. (default "afrf")||rf=afrf|
|pct||Percentage of messages subjected to filtering (default 100)||pct=20|
The alignment modes for DKIM and SPF can be:
- "s" for strict: means "strict". Domains from From: shall match DKIM/SPF identifier.
- "r" for relaxed: means "relaxed". Organizational domains from From: and DKIM/SPF shall match.
where the latter allows a subdomain in the "From" header while the former does not.
The domain policy (p) and subdomain policy (sp) might be one of:
- "none" (for monitor mode)get at
The forensic report options are:
- "0" to generate reports if all underlying authentication mechanisms (SPF and DKIM) fail to produce a DMARC pass result
- "1" to generate reports if any mechanisms (SPF or DKIM) fail
- "d" to generate report if the DKIM signature failed to verify
- "s" if SPF failed.