From 891664de2910cc4420328fec7c453cedb297c857 Mon Sep 17 00:00:00 2001 From: Jeremy Fleischman Date: Mon, 28 Oct 2024 23:50:13 -0500 Subject: [PATCH 1/2] Add a note about DMARC strictness https://mxtoolbox.com/ warned me about the loosey-goosey DMARC entry these instructions steered me towards. Hopefully this will save others some time in the future. --- docs/dmarc.rst | 45 ++++++++++++++++++++++++++++++++++++++++++++ docs/index.rst | 1 + docs/setup-guide.rst | 4 ++++ 3 files changed, 50 insertions(+) create mode 100644 docs/dmarc.rst diff --git a/docs/dmarc.rst b/docs/dmarc.rst new file mode 100644 index 0000000..a823c3a --- /dev/null +++ b/docs/dmarc.rst @@ -0,0 +1,45 @@ +DMARC +===== + +Once you've got your mailserver running, you should consider increasing the +strictness of your ``DMARC`` policy. Before you do so, you may want to first +enable ``DMARC`` reporting. + +Enable ``DMARC`` reporting +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Add a ``rua`` tag + +.. code-block:: diff + + -``v=DMARC1; p=none;`` + +``v=DMARC1; p=none; rua=postmaster@example.com`` + +This instructs receiving mail servers to mail reports to +``postmaster@example.com``. + +If you need more detailed reports, there's a ``ruf`` tag as well. + +Increased strictness +~~~~~~~~~~~~~~~~~~~~ + +Next, you can instruct receiving mailservers to apply "strict" enforcement of +``DKIM`` and ``SPF`` + +.. code-block:: diff + + -``v=DMARC1; p=none; rua=postmaster@example.com`` + +``v=DMARC1; p=none; adkim=s; aspf=s; rua=postmaster@example.com`` + +Consider running with this policy for a while before moving onto the next step. + +Reject ``DMARC`` failures +~~~~~~~~~~~~~~~~~~~~~~~~~ + +Once you're happy with the strictness of your policy, you can instruct +receiving mailservers to drop incoming mail that fails the ``DMARC`` policy: + +.. code-block:: diff + + -``v=DMARC1; p=none; adkim=s; aspf=s; rua=postmaster@example.com`` + +``v=DMARC1; p=reject; adkim=s; aspf=s; rua=postmaster@example.com`` diff --git a/docs/index.rst b/docs/index.rst index 2fd1e1a..042e6a0 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -31,6 +31,7 @@ Welcome to NixOS Mailserver's documentation! flakes autodiscovery ldap + dmarc Indices and tables ================== diff --git a/docs/setup-guide.rst b/docs/setup-guide.rst index 61b1559..a152be1 100644 --- a/docs/setup-guide.rst +++ b/docs/setup-guide.rst @@ -211,6 +211,10 @@ You can check this with Note that it can take a while until a DNS entry is propagated. +Note that tools like `mxtoolbox.com `__ will warn that +the ``p=none`` doesn't actually enforce anything. This is good for getting +started, but you should consider increasing the strictness and configuring +``DMARC`` reports. See :doc:`dmarc` for more information. Test your Setup ~~~~~~~~~~~~~~~ From 9210b41719fa1d1a4c2646e66c7d71d8952e634b Mon Sep 17 00:00:00 2001 From: Jeremy Fleischman Date: Sat, 30 Nov 2024 16:47:51 -0600 Subject: [PATCH 2/2] Add a suggestion that people set up a separate inbox for DMARC reports --- docs/dmarc.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/dmarc.rst b/docs/dmarc.rst index a823c3a..f08b5cb 100644 --- a/docs/dmarc.rst +++ b/docs/dmarc.rst @@ -16,7 +16,8 @@ Add a ``rua`` tag +``v=DMARC1; p=none; rua=postmaster@example.com`` This instructs receiving mail servers to mail reports to -``postmaster@example.com``. +``postmaster@example.com``. Note that you may want to set up a separate mailbox +just for these autogenerated mails. If you need more detailed reports, there's a ``ruf`` tag as well.