mirror of
https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git
synced 2025-04-02 22:04:32 +05:00
46 lines
1.2 KiB
ReStructuredText
46 lines
1.2 KiB
ReStructuredText
|
DMARC
|
||
|
|
=====
|
||
|
|
|
||
|
|
Once you've got your mailserver running, you should consider increasing the
|
||
|
|
strictness of your ``DMARC`` policy. Before you do so, you may want to first
|
||
|
|
enable ``DMARC`` reporting.
|
||
|
|
|
||
|
|
Enable ``DMARC`` reporting
|
||
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
|
|
||
|
|
Add a ``rua`` tag
|
||
|
|
|
||
|
|
.. code-block:: diff
|
||
|
|
|
||
|
|
-``v=DMARC1; p=none;``
|
||
|
|
+``v=DMARC1; p=none; rua=postmaster@example.com``
|
||
|
|
|
||
|
|
This instructs receiving mail servers to mail reports to
|
||
|
|
``postmaster@example.com``.
|
||
|
|
|
||
|
|
If you need more detailed reports, there's a ``ruf`` tag as well.
|
||
|
|
|
||
|
|
Increased strictness
|
||
|
|
~~~~~~~~~~~~~~~~~~~~
|
||
|
|
|
||
|
|
Next, you can instruct receiving mailservers to apply "strict" enforcement of
|
||
|
|
``DKIM`` and ``SPF``
|
||
|
|
|
||
|
|
.. code-block:: diff
|
||
|
|
|
||
|
|
-``v=DMARC1; p=none; rua=postmaster@example.com``
|
||
|
|
+``v=DMARC1; p=none; adkim=s; aspf=s; rua=postmaster@example.com``
|
||
|
|
|
||
|
|
Consider running with this policy for a while before moving onto the next step.
|
||
|
|
|
||
|
|
Reject ``DMARC`` failures
|
||
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
|
|
||
|
|
Once you're happy with the strictness of your policy, you can instruct
|
||
|
|
receiving mailservers to drop incoming mail that fails the ``DMARC`` policy:
|
||
|
|
|
||
|
|
.. code-block:: diff
|
||
|
|
|
||
|
|
-``v=DMARC1; p=none; adkim=s; aspf=s; rua=postmaster@example.com``
|
||
|
|
+``v=DMARC1; p=reject; adkim=s; aspf=s; rua=postmaster@example.com``
|