From de52c04605e89fe1a2b8762bb2e5e2d85db34051 Mon Sep 17 00:00:00 2001
From: Jeremy Fleischman <jeremyfleischman@gmail.com>
Date: Mon, 28 Oct 2024 23:50:13 -0500
Subject: [PATCH] Add a note about DMARC strictness

https://mxtoolbox.com/ warned me about the loosey-goosey DMARC entry
these instructions steered me towards. Hopefully this will save others
some time in the future.
---
 docs/dmarc.rst       | 47 ++++++++++++++++++++++++++++++++++++++++++++
 docs/index.rst       |  1 +
 docs/setup-guide.rst |  4 ++++
 3 files changed, 52 insertions(+)
 create mode 100644 docs/dmarc.rst

diff --git a/docs/dmarc.rst b/docs/dmarc.rst
new file mode 100644
index 0000000..5aaca1c
--- /dev/null
+++ b/docs/dmarc.rst
@@ -0,0 +1,47 @@
+DMARC
+=====
+
+Once you've got your mailserver running, you should consider increasing the
+strictness of your ``DMARC`` policy. Before you do so, you may want to first
+enable ``DMARC`` reporting.
+
+Enable ``DMARC`` reporting
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Add a ``rua`` tag
+
+.. code-block:: diff
+
+    -``v=DMARC1; p=none;``
+    +``v=DMARC1; p=none; rua=dmarc-reports@example.com``
+
+This instructs receiving mail servers to send reports about SPF or DKIM
+failures to ``dmarc-reports@example.com``. It's a good idea to set up a
+separate mailbox just for these autogenerated mails so you can use tools
+to process the reports.
+
+If you need more detailed reports, there's a ``ruf`` tag as well.
+
+Increased strictness
+~~~~~~~~~~~~~~~~~~~~
+
+Next, you can instruct receiving mailservers to apply "strict" enforcement of
+``DKIM`` and ``SPF``
+
+.. code-block:: diff
+
+    -``v=DMARC1; p=none; rua=dmarc-reports@example.com``
+    +``v=DMARC1; p=none; adkim=s; aspf=s; rua=dmarc-reports@example.com``
+
+Consider running with this policy for a while before moving onto the next step.
+
+Reject ``DMARC`` failures
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Once you're happy with the strictness of your policy, you can instruct
+receiving mailservers to drop incoming mail that fails the ``DMARC`` policy:
+
+.. code-block:: diff
+
+    -``v=DMARC1; p=none; adkim=s; aspf=s; rua=dmarc-reports@example.com``
+    +``v=DMARC1; p=reject; adkim=s; aspf=s; rua=dmarc-reports@example.com``
diff --git a/docs/index.rst b/docs/index.rst
index 2fd1e1a..042e6a0 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -31,6 +31,7 @@ Welcome to NixOS Mailserver's documentation!
    flakes
    autodiscovery
    ldap
+   dmarc
 
 Indices and tables
 ==================
diff --git a/docs/setup-guide.rst b/docs/setup-guide.rst
index 5f6f903..ce971e0 100644
--- a/docs/setup-guide.rst
+++ b/docs/setup-guide.rst
@@ -223,6 +223,10 @@ You can check this with
 
 Note that it can take a while until a DNS entry is propagated.
 
+Note that tools like `mxtoolbox.com <http://mxtoolbox.com/>`__ will warn that
+the ``p=none`` doesn't actually enforce anything. This is good for getting
+started, but you should consider increasing the strictness and configuring
+``DMARC`` reports. See :doc:`dmarc` for more information.
 
 Test your Setup
 ~~~~~~~~~~~~~~~