ForkMaster/nixos-mailserver
1
0
Fork 0
mirror of https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git synced 2025-05-26 04:20:57 +05:00
Code Issues Packages Projects Releases Wiki Activity

Add a note about DMARC strictness

Browse Source 
https://mxtoolbox.com/ warned me about the loosey-goosey DMARC entry
these instructions steered me towards. Hopefully this will save others
some time in the future.
This commit is contained in:
Jeremy Fleischman 2024-10-28 23:50:13 -05:00
parent a7d2b05a99
commit de52c04605
No known key found for this signature in database
3 changed files with 52 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
docs/dmarc.rst Normal file
View File

@ -0,0 +1,47 @@
DMARC
=====
Once you've got your mailserver running, you should consider increasing the
strictness of your ``DMARC`` policy. Before you do so, you may want to first
enable ``DMARC`` reporting.
Enable ``DMARC`` reporting
~~~~~~~~~~~~~~~~~~~~~~~~~~
Add a ``rua`` tag
.. code-block:: diff
-``v=DMARC1; p=none;``
+``v=DMARC1; p=none; rua=dmarc-reports@example.com``
This instructs receiving mail servers to send reports about SPF or DKIM
failures to ``dmarc-reports@example.com``. It's a good idea to set up a
separate mailbox just for these autogenerated mails so you can use tools
to process the reports.
If you need more detailed reports, there's a ``ruf`` tag as well.
Increased strictness
~~~~~~~~~~~~~~~~~~~~
Next, you can instruct receiving mailservers to apply "strict" enforcement of
``DKIM`` and ``SPF``
.. code-block:: diff
-``v=DMARC1; p=none; rua=dmarc-reports@example.com``
+``v=DMARC1; p=none; adkim=s; aspf=s; rua=dmarc-reports@example.com``
Consider running with this policy for a while before moving onto the next step.
Reject ``DMARC`` failures
~~~~~~~~~~~~~~~~~~~~~~~~~
Once you're happy with the strictness of your policy, you can instruct
receiving mailservers to drop incoming mail that fails the ``DMARC`` policy:
.. code-block:: diff
-``v=DMARC1; p=none; adkim=s; aspf=s; rua=dmarc-reports@example.com``
+``v=DMARC1; p=reject; adkim=s; aspf=s; rua=dmarc-reports@example.com``

1
docs/index.rst
View File

@ -31,6 +31,7 @@ Welcome to NixOS Mailserver's documentation!
flakes flakes
autodiscovery autodiscovery
ldap ldap
dmarc
Indices and tables Indices and tables
================== ==================

4
docs/setup-guide.rst
View File

@ -223,6 +223,10 @@ You can check this with
Note that it can take a while until a DNS entry is propagated. Note that it can take a while until a DNS entry is propagated.
Note that tools like `mxtoolbox.com <http://mxtoolbox.com/>`__ will warn that
the ``p=none`` doesn't actually enforce anything. This is good for getting
started, but you should consider increasing the strictness and configuring
``DMARC`` reports. See :doc:`dmarc` for more information.
Test your Setup Test your Setup
~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~