DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing emails, email scams and other cyber threat activities.
- Thanks to Iulian for the hint. This is a link to his page
- Take a look here for further DMARC solutions for
- MXtoolbox: verifying your DMARC record
- RFC 4789 Domain-based Message Authentication, Reporting, and Conformance (DMARC)
- Spamassassin's SPF rules
- Spamassassin's DKIM rules
You can use
Spamassassin to apply a DMARC filter by means of the
AskDNS plugin. Just add the following to your
ifplugin Mail::SpamAssassin::Plugin::AskDNS askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/ askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/ askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/ meta DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_REJECT score DMARC_REJECT 5 meta DMARC_QUAR !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_QUAR score DMARC_QUAR 2.5 meta DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_NONE score DMARC_NONE 0.1 endif # Mail::SpamAssassin::Plugin::AskDNS
This means that a DMARC reject (p=reject in the DNS record) will turn into a +5 spam score, DMARC quarantine (p=quarantine) into a +2.5 spam score and a p=none into a +0.1 spam score.
This is how you may want to set your own
DMARC record into your
_dmarc.yourdomain.tld. IN TXT "v=DMARC1;p=reject;sp=none;pct=100;rua=mailto:email@example.com"
Of course this requires that you already have both SPF and DKIM working as explained before.
If you decide to set a similar DNS record in your DMZ view, it is important that you have set your allowed localnets in spamassassin, for example:
otherwise you will probably ban your system or web application mail messages in case you don't sign them.