diff --git a/docs/dmarc.rst b/docs/dmarc.rst new file mode 100644 index 0000000..a823c3a --- /dev/null +++ b/docs/dmarc.rst @@ -0,0 +1,45 @@ +DMARC +===== + +Once you've got your mailserver running, you should consider increasing the +strictness of your ``DMARC`` policy. Before you do so, you may want to first +enable ``DMARC`` reporting. + +Enable ``DMARC`` reporting +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Add a ``rua`` tag + +.. code-block:: diff + + -``v=DMARC1; p=none;`` + +``v=DMARC1; p=none; rua=postmaster@example.com`` + +This instructs receiving mail servers to mail reports to +``postmaster@example.com``. + +If you need more detailed reports, there's a ``ruf`` tag as well. + +Increased strictness +~~~~~~~~~~~~~~~~~~~~ + +Next, you can instruct receiving mailservers to apply "strict" enforcement of +``DKIM`` and ``SPF`` + +.. code-block:: diff + + -``v=DMARC1; p=none; rua=postmaster@example.com`` + +``v=DMARC1; p=none; adkim=s; aspf=s; rua=postmaster@example.com`` + +Consider running with this policy for a while before moving onto the next step. + +Reject ``DMARC`` failures +~~~~~~~~~~~~~~~~~~~~~~~~~ + +Once you're happy with the strictness of your policy, you can instruct +receiving mailservers to drop incoming mail that fails the ``DMARC`` policy: + +.. code-block:: diff + + -``v=DMARC1; p=none; adkim=s; aspf=s; rua=postmaster@example.com`` + +``v=DMARC1; p=reject; adkim=s; aspf=s; rua=postmaster@example.com`` diff --git a/docs/index.rst b/docs/index.rst index 2fd1e1a..042e6a0 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -31,6 +31,7 @@ Welcome to NixOS Mailserver's documentation! flakes autodiscovery ldap + dmarc Indices and tables ================== diff --git a/docs/setup-guide.rst b/docs/setup-guide.rst index 61b1559..a152be1 100644 --- a/docs/setup-guide.rst +++ b/docs/setup-guide.rst @@ -211,6 +211,10 @@ You can check this with Note that it can take a while until a DNS entry is propagated. +Note that tools like `mxtoolbox.com `__ will warn that +the ``p=none`` doesn't actually enforce anything. This is good for getting +started, but you should consider increasing the strictness and configuring +``DMARC`` reports. See :doc:`dmarc` for more information. Test your Setup ~~~~~~~~~~~~~~~