ForkMaster/nixos-mailserver
1
0
Fork 0
mirror of https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git synced 2025-03-31 07:59:52 +05:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'dmarc-strictness' into 'master'

Browse Source 
Add a note about DMARC strictness

See merge request simple-nixos-mailserver/nixos-mailserver!343
This commit is contained in:
Jeremy Fleischman 2025-03-21 15:34:07 +00:00
commit 8b7718871b
3 changed files with 51 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
docs/dmarc.rst Normal file
View File

@ -0,0 +1,46 @@
DMARC
=====
Once you've got your mailserver running, you should consider increasing the
strictness of your ``DMARC`` policy. Before you do so, you may want to first
enable ``DMARC`` reporting.
Enable ``DMARC`` reporting
~~~~~~~~~~~~~~~~~~~~~~~~~~
Add a ``rua`` tag
.. code-block:: diff
-``v=DMARC1; p=none;``
+``v=DMARC1; p=none; rua=postmaster@example.com``
This instructs receiving mail servers to mail reports to
``postmaster@example.com``. Note that you may want to set up a separate mailbox
just for these autogenerated mails.
If you need more detailed reports, there's a ``ruf`` tag as well.
Increased strictness
~~~~~~~~~~~~~~~~~~~~
Next, you can instruct receiving mailservers to apply "strict" enforcement of
``DKIM`` and ``SPF``
.. code-block:: diff
-``v=DMARC1; p=none; rua=postmaster@example.com``
+``v=DMARC1; p=none; adkim=s; aspf=s; rua=postmaster@example.com``
Consider running with this policy for a while before moving onto the next step.
Reject ``DMARC`` failures
~~~~~~~~~~~~~~~~~~~~~~~~~
Once you're happy with the strictness of your policy, you can instruct
receiving mailservers to drop incoming mail that fails the ``DMARC`` policy:
.. code-block:: diff
-``v=DMARC1; p=none; adkim=s; aspf=s; rua=postmaster@example.com``
+``v=DMARC1; p=reject; adkim=s; aspf=s; rua=postmaster@example.com``

1
docs/index.rst
View File

@ -31,6 +31,7 @@ Welcome to NixOS Mailserver's documentation!
flakes
autodiscovery
ldap
dmarc
Indices and tables
==================

4
docs/setup-guide.rst
View File

@ -222,6 +222,10 @@ You can check this with
Note that it can take a while until a DNS entry is propagated.
Note that tools like `mxtoolbox.com <http://mxtoolbox.com/>`__ will warn that
the ``p=none`` doesn't actually enforce anything. This is good for getting
started, but you should consider increasing the strictness and configuring
``DMARC`` reports. See :doc:`dmarc` for more information.
Test your Setup
~~~~~~~~~~~~~~~