March 20, 2021 Roberto Puzzanghera13 comments
You can use
Spamassassin to apply a DMARC filter by means of the
AskDNS plugin. Just add the following to your
ifplugin Mail::SpamAssassin::Plugin::AskDNS askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/ askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/ askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/ meta DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_REJECT score DMARC_REJECT 5 meta DMARC_QUAR !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_QUAR score DMARC_QUAR 2.5 meta DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_NONE score DMARC_NONE 0.1 endif # Mail::SpamAssassin::Plugin::AskDNS
This means that a DMARC reject (p=reject in the DNS record) will turn into a +10 spam score, DMARC quarantine (p=quarantine) into a +5 spam score and a p=none into a +0.1 spam score.
This is how you may want to set your own
DMARC record into your
_dmarc.yourdomain.tld. IN TXT "v=DMARC1;p=reject;sp=none;pct=100;rua=mailto:firstname.lastname@example.org"
Of course this requires that you already have both SPF and DKIM working as explained before.
If you decide to set a similar DNS record in your DMZ view, it is important that you have set your allowed localnets in spamassassin, for example:
otherwise you will probably ban your system or web application mail messages in case you don't sign them.
apache clamav dkim dovecot ezmlm fail2ban hacks lamp letsencrypt linux linux-vserver lxc mariadb mediawiki mozilla mysql openboard owncloud patches php proftpd qmail qmailadmin rbl roundcube rsync sieve simscan slackware spamassassin spf ssh ssl surbl tcprules tex ucspi-tcp vpopmail vqadmin