mirror of
https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git
synced 2025-05-26 04:20:57 +05:00
de52c04605
https://mxtoolbox.com/ warned me about the loosey-goosey DMARC entry these instructions steered me towards. Hopefully this will save others some time in the future.
48 lines
1.4 KiB
ReStructuredText
48 lines
1.4 KiB
ReStructuredText
DMARC
|
|
=====
|
|
|
|
Once you've got your mailserver running, you should consider increasing the
|
|
strictness of your ``DMARC`` policy. Before you do so, you may want to first
|
|
enable ``DMARC`` reporting.
|
|
|
|
Enable ``DMARC`` reporting
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
Add a ``rua`` tag
|
|
|
|
.. code-block:: diff
|
|
|
|
-``v=DMARC1; p=none;``
|
|
+``v=DMARC1; p=none; rua=dmarc-reports@example.com``
|
|
|
|
This instructs receiving mail servers to send reports about SPF or DKIM
|
|
failures to ``dmarc-reports@example.com``. It's a good idea to set up a
|
|
separate mailbox just for these autogenerated mails so you can use tools
|
|
to process the reports.
|
|
|
|
If you need more detailed reports, there's a ``ruf`` tag as well.
|
|
|
|
Increased strictness
|
|
~~~~~~~~~~~~~~~~~~~~
|
|
|
|
Next, you can instruct receiving mailservers to apply "strict" enforcement of
|
|
``DKIM`` and ``SPF``
|
|
|
|
.. code-block:: diff
|
|
|
|
-``v=DMARC1; p=none; rua=dmarc-reports@example.com``
|
|
+``v=DMARC1; p=none; adkim=s; aspf=s; rua=dmarc-reports@example.com``
|
|
|
|
Consider running with this policy for a while before moving onto the next step.
|
|
|
|
Reject ``DMARC`` failures
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
Once you're happy with the strictness of your policy, you can instruct
|
|
receiving mailservers to drop incoming mail that fails the ``DMARC`` policy:
|
|
|
|
.. code-block:: diff
|
|
|
|
-``v=DMARC1; p=none; adkim=s; aspf=s; rua=dmarc-reports@example.com``
|
|
+``v=DMARC1; p=reject; adkim=s; aspf=s; rua=dmarc-reports@example.com``
|