The following diagrams are what this document will accomplish. The challenge is to obtain and keep a good reputation that other E-Mail handlers around the world will accept. Otherwise your messages will be dumped in the trash can (SPAM) or sent back to you (bounced).
DNS assignment of an E-Mail name to that IP Address
Certificates for Authentication and Encryption
Login protection against Open Spam Relays
A VPS (Virtual Private Server) is a way to obtain a good IP address reputation, and it will stay the same number over time. There are many to choose from, some already have bad reputations and constant streams of hackers knocking on the network, while others have a good reputation and just a few random hackers on your doorstep. Choose wisely!
MUA - Mail User Agent; Thunderbird, Evolution - Read, send, user interface
MDA - Mail Delivery Agent; Dovecot - File and organize mail, authorize user accounts
MTA - Mail Transport Agent; Postfix - Move messsages from one network stop to another
Outgoing: Relay from Inside Home
Outgoing: Relay from Outside Home
Incoming: Transport from Internet
This document will use:
your-domain.org : The E-Mail relay we are setting up in this document (VPS_Postfix)
your-domain.com : The E-Mail server set up in the prior document (Home_Postfix)
Recommendation:
[ ] Bring up a host on a VPS somewhere, and use the Setup Server instructions to secure it.
[ ] Get a domain name and certificate set up and working.
[ ] Install postfix/dovecot combo and relay to your main E-Mail host. Test sending out mail too.
[ ] Install and configure SPF Policy Agent. Test it and make sure all is well.
[ ] Install and configure OpenDKIM to sign your E-Mails. Ensure it works good.
VPS
Create a VPS Cloud Server, less than $10 month for 1GB RAM, 30GB Disk, 1 CPU, 2TB Bandwidth month.
Criteria:
IP address reputation. May have to test drive to determine IP address. Lookup tools:
Working control panel. Check online reviews, or test drive. Make sure every button works. Extra points if they allow firewall changes and creating a PTR record.
Current OS release. Check references below.
Support availability and response agreements. Test creating a support ticket. Check references below.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><htmlxmlns="http://www.w3.org/1999/xhtml"><head></head><body><divclass="main_page"></div></body></html>
Create Advanced DNS records, using IP Address of VPS server:
HOST
Type Host Value TTL
---------- ----------- ------------------- ----
A Record @ <IP Address> Auto
A Record mail <IP Address> Auto
TXT Record @ v=spf1 mx -all Auto
MAIL
Type Host Value Priority TTL
---------- ----------- ------------------- -------- ----
MX Record @ <Domain Name> 10 Auto
Using the Control Panel on the VPS, update the PTR record. If they do not allow this, create a support ticket, they will do it then, just trying to limit spammers.
Test your PTR record. Using the IP Address, it should show your domain, proving you have control over the IP Address.
This refers to the name in /etc/services and matches a name to a port number.
type
Internet or pipe. Internet is a network communication, while pipe is a special file on disk that echos input as output used for local communication only.
private
Access to some components is restricted to the Postfix system itself. This column is marked with a y for private access (the default) or an n for public access. inet components must be marked n for public access, since network sockets are necessarily available to other processes.
unpriv
Postfix components run with the least amount of privilege required to accomplish their tasks. They set their identity to that of the unprivileged account specified by the mail_owner parameter. The default installation uses postfix. The default value of y for this column indicates that the service runs under the normal unprivileged account. Services that require root privileges are marked with n.
chroot
Many components can be chrooted for additional security. The chroot location is specified in the queue_directory parameter in main.cf. The default is for a service to run in a chroot environment; however, the normal installation marks all components with an n so they are not chrooted when they run. Chrooting a service adds a level of complexity that you should thoroughly understand before taking advantage of the added security. See Section 4.8 later in the chapter for more information on running Postfix services in a chroot environment.
wakeup
Some components require a wake-up timer to kick them into action at the specified interval. The pickup daemon is one example. At its default setting of 60 seconds, the master daemon wakes it up every minute to see if any new messages have arrived in the maildrop queue. The other services that require a wake-up are the qmgr and flush daemons. A question mark character (?) can be added at the end of the time to indicate that a wake-up event should be sent only if the component is being used. A 0 for the time interval indicates that no wake-up is required. The default is 0, since only the three components mentioned require a wake-up. The values as they are set in the Postfix distribution should work for almost all situations. Other services should not have wakeup enabled.
maxproc
Limits the number of processes that can be invoked simultaneously. If unspecified here, the value comes from the parameter default_process_limit in main.cf, which is set to 100 by default. A setting of 0 means no process limit. You may want to adjust maxproc settings if you run Postfix on a system with limited resources or you want to optimize different aspects of the system.
command
The actual command used to execute a service is listed in the final column. The command is specified with no path information, because it is expected to be in the Postfix daemon directory specified by the daemon_directory parameter in main.cf. By default the directory is /usr/libexec/postfix. All of the Postfix commands can be specified with one or more -v options to turn on increasingly more verbose logging information, which can be helpful if you must troubleshoot a problem. You can also enable information for a debugging program with the -D option. See the DEBUG_README file that comes with the Postfix distribution for more information on debugging if necessary.
Proxy Postfix using Transport Maps for Incoming Mails on your-domain.org
A postfix transport(5) table allows one domain to transfer incoming SMTP messages to another domain. For instance the .org domain will transfer all .com messages to the .com domain automatically.
Repeated postfix file contents from above
to clarify this is for transporting from .org to .com
Configure
File: /etc/postfix/main.cf:
~
transport_maps = hash:/etc/postfix/transport
~
Set postfix to accept mails for the .com addresse.
Repeated postfix file contents from above
to clarify this is for transporting from .org to .com
File: /etc/postfix/main.cf:
~
relay_domains = example.com
~
Transport Definitions
Create a transport table to redirect all mail for one domain as well as mail for "user@mydomain.org" to another domain. You can also specify another port, to bypass port 25 restrictions.
To send mails from a non-standard port, use a .com domain to relay to a .org domain, with the .org relay set to = (basically null) and the .com relay = ...org.
Change MX records in no-ip.com from mail1.no-ip.com to mail.your-domain.org
Log into noip.com, go to DNS and select *.your-domain.com. At the bottom of the page you can change the mail1.no-ip.com record to mail.your-domain.org.
Don't forget to save and lookup the new value using dig -t MX your-domain.com.
Try not to add more than required, you might create a potential infinite loop. 8
On the DNS for .com, create a TXT record like this
"v=spf1 mx a include:<Domain of .org> ~all"
Basically is says "In the DNS TXT record for email destination you@your-domain.com, validate the MX IP Address of DNS record for domain your-domain.com" for ~all; When an SPF record includes ~all (softfail qualifier), receiving servers typically accept messages from senders that aren't in your SPF record, but mark them as suspicious.
Change your-domain.com postfix/main.cf relay to your-domain.org
File: /etc/postfix/main.cf
relayhost = [mail.your-domain.org]:465
Add your-domain.org unix login on host your-domain.com
File: /etc/postfix/sasl/sasl_passwd
[mail.your-domain.org]:465 you:********
Create a postfix DB from flat file
$sudopostmap/etc/postfix/sasl/sasl_passwd
Enable TLS on your-domain.org
TLS requires certificate(s) and SASL login verification.
The logon verification is done by Docevot using the userdb setting pam[1], while the postfix SASL verification uses a unix pipe /var/spool/postfix/private/auth to talk to Dovecot.
The encryption is enabled by Let's Encrypt certificates (one for the domain, another for each subdomain), over the smtps (post 465) network socket to the client. The master.cf file -o settings override the main.cf settings, ensuring a connection is only accepted if:
TLS certificate is working and accepted by both parties, on port 465
SASL logon passes, using postfix -> Dovecot -> pam login.
OR
The incoming IP address is part of mynetwork, on port 25
Plugable Authentication Module (PAM) is the Linux login method for users
Two Steps:
install dovecot
The Debian Way
$sudoapt-getinstalldovecot-core
The RedHat Way
$sudodnfinstalldovecot
Add login to dovecot auth
File: /etc/dovecot/conf.d/10-auth.conf
~
auth_mechanisms = plain login
~
:wq
Set the certificates to letsencrypt, require ssl and prefer server of the ciphers
These are the programs where a human interface resides, and where everybody reads, sends, deletes, and manages their E-Mail. Names such as: Thunderbird, Evolution, Mutt, Gmail, Outlook, etc.
Mail Transport Agents (MTA) only connect here. Do not connect your MUA to this port!
SMTP (port 25): This is an restricted relay port, defined on host example.org and controlled by the /etc/postfix/master.cf smtp definition. Only addresses in $mydestination will be accepted, and nothing else will be relayed in. The transport definition will forward to it's list of addresses/domains. After a client is authenticated, it will be allowed to relay out on port 25. Process master, forked from postfix, performs this responsibility.
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject: means that only authenticated connections can relay out
Client (MUA) connect here to SEND mail only
SMTPS (port 465): This is defined on host example.org, and is always an encrypted port, controlled by the /etc/postfix/master.cf smtps definition. All authentications occur here. Process master, forked from postfix, performs this responsibility.
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject: means that only $mynetworks or authenticated connections can submit messages to be sent. MUA will connect using this rule.
Authentication is done using /etc/dovecot/conf.d/10-auth.conf auth_mechanism=login definition, over unix pipe unix_listener /var/spool/postfix/private/auth declared in file /etc/dovecot/conf.d/10-master.conf. Linux PAM verification occurs using file /etc/pam.d/dovecot and passdb{driver=pam} in file /etc/dovecot/conf.d/auth-system.conf.ext.
Unix pipe for postfix to dovecot authenication of clients.
Client (MUA) connect here to READ/MANAGE mail only
IMAPS (port 993): This is defined on the example.com host Dovecot installation, file /etc/dovecot/conf.d/10-master.conf, section service imap_listener imaps. Process imap, forked from dovecot, performs this responsibility.
Authentication is done using /etc/dovecot/conf.d/10-auth.conf auth_mechanism=plain definition, over unix_listener auth_userdb declared in file /etc/dovecot/conf.d/10-master.conf. Linux PAM verification occurs using file /etc/pam.d/dovecot and passdb{driver=pam} in file /etc/dovecot/conf.d/auth-system.conf.ext.
Port 587, aka: submission, is purposely ommited because it is a partial encryption called STARTTLS. This is deemed un-secure and not recommended.
MUA Connection Definitions
Read Mail
Server: mail.example.com
User: <linux user defined on the E-Mail .com host>
Password: <linux user password defined on the E-Mail .com host>
SSL: ON
Port: 993
Send Mail
Server: smtp.example.org
User: <linux user defined above on the E-Mail .org host>
Password: <linux user password defined above on the E-Mail .org host>
SSL: ON
Port: 465
Debug
If mail queues up to send/resend, you can check and clear to queue
List mail queue
mailq
Look at message
postcat -vq DCE2182DEA
Flush queue
postsuper -d ALL deferred
or
postqueue -f
Cache files (send/receive) are in data_directory (/var/lib/postfix) as Berkley Databasees
Install a Mail User Agent for ssh
mutt is a nice local mail reader, for times when the network mail may not work, at least the local mail will.
$sudoapt-getinstallmutt
$sudodnfinstallmutt
Install a nice ssh capable log reader
I like lnav. Just run lnav and by default it will read the syslog. Or run lnav /var/log/mail.log.
$sudoapt-getinstalllnav
$sudodnfinstalllnav
Install a package marking tool
Debian only: apt-clone will create a nice bundle of all your current packages. Save this off in case you have to re-build your server.
$sudoapt-getinstallapt-clone
Certificate Expiration Check
Run this every week/day in cron /root/cert_expire.sh 2 to E-Mail you reminders before it expires.
File: ~/cert_expire.sh
#!/bin/bash# ----------------------------------------------------------------------## File: cert_expire.sh## Purpose: See what the expiration date is for Let's Encrypt Certificate### s_client : The s_client command implements a generic SSL/TLS client# which connects to a remote host using SSL/TLS.# -servername $DOM : Set the TLS SNI (Server Name Indication) extension# in the ClientHello message to the given value.# -connect $DOM:$PORT : This specifies the host ($DOM) and optional# port ($PORT) to connect to.# x509 : Run certificate display and signing utility.# -noout : Prevents output of the encoded version of the certificate.# -dates : Prints out the start and expiry dates of a TLS or SSL certificate.## Don Cohoon - Jan 2023# ----------------------------------------------------------------------##if[$#-gt0];thenA=${1}else/usr/bin/echo"1) E-Mail"/usr/bin/echo"2) File"/usr/bin/echo"3) Web"/usr/bin/echo"4) Local"readA
ficase${A}in1)/usr/bin/echo"REMINDER: Restart postfix and dovecot to enable new certs"/usr/bin/echo"=> E-Mail Certificate: CTRL-C to exit"#/usr/bin/openssl s_client -connect mail.your-domain.org:25 -starttls smtp 2>/dev/null|/usr/bin/openssl x509 -noout -dates/usr/bin/openssls_client-connectmail.your-domain.org:4652>/dev/null|/usr/bin/opensslx509-noout-dates
;;2)/usr/bin/echo"=> File Certificate"sudo/usr/bin/opensslx509-enddate-noout-in/etc/letsencrypt/live/your-domain.org/fullchain.pem
;;3)/usr/bin/echo"REMINDER: Restart apache2 and nginx to enable new certs"/usr/bin/echo"=> www.your-domain.org Certificate: CTRL-C to exit"/usr/bin/openssls_client-servernameyour-domain.org-connectwww.your-domain.org:4432>/dev/null|/usr/bin/opensslx509-noout-dates
;;4)/usr/bin/echo"REMINDER: Restart apache2 and nginx to enable new certs"/usr/bin/echo"=> Local Web Certificate: CTRL-C to exit"/usr/bin/openssls_client-connectlocalhost:443|/usr/bin/opensslx509-noout-dates
;;esac
Configuring SPF Policy Agent
We also need to tell our Postfix SMTP server to check for SPF record of incoming emails. This doesn’t help ensure outgoing email delivery but help with detecting forged incoming emails.
Install required packages:
Debian
sudo apt install postfix-policyd-spf-python
RedHat
sudo dnf install pypolicyd-spf
Test SPF
If you know the sender, recipient, and client_address, you can test them before turning SPF on in postfix.
Must have blank line as last input for policyd-spf
Add the following lines at the end of the file, which tells Postfix to start the SPF policy daemon when it’s starting itself.
Debian
File: /etc/postfix/master.cf
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
Redhat
File: /etc/postfix/master.cf
policyd-spf unix - n n - 0 spawn
user=nobody argv=/usr/libexec/postfix/policyd-spf
Append the following lines at the end of the file. The first line specifies the Postfix policy agent timeout setting. The following lines will impose a restriction on incoming emails by rejecting unauthorized email and checking SPF record.
Next time, when you receive an email from a domain that has an SPF record, you can see the SPF check results in the raw email header. The following header indicates the sender sent the email from an authorized host.
OpenDKIM is an open source implementation of the DKIM (Domain Keys Identified Mail) sender authentication system proposed by the E-mail Signing Technology Group (ESTG), now standardized by the IETF (RFC6376). It also includes implementations of the RFC5617) Vouch By Reference (VBR, RFC5518) proposed standard and the experimental Authorized Third Party Signatures protocol (ATPS, RFC6541).
Install OpenDKIM
Debian
sudoaptinstallopendkimopendkim-tools
RedHat
# enable the CodeReady Linux Builder repository. You already have access to it; you just need to enable it.dnfconfig-manager--set-enabledcrb# install the EPEL RPMdnfinstallepel-releaseepel-next-release# installsudodnfinstallopendkimopendkim-tools
Configure OpenDKIM
Add user postfix to group opendkim.
sudo gpasswd -a postfix opendkim
Check OpenDKIM main configuration file for Syslog, Logwhy.
Logwhy will generate more detailed logs for debugging.
File: /etc/opendkim.conf
Syslog yes
Logwhy yes
Set Canonicalization used when signing messages. The recognized values are relaxed and simple as defined by the DKIM specification. The default is simple. The value may include two different canonicalizations separated by a slash ("/") character, in which case the first will be applied to the header and the second to the body.
Set operating Modes. The string is a concatenation of characters that indicate which mode(s) of operation are desired. Valid modes are s (signer) and v (verifier). The default is sv except in test mode (see the opendkim(8) man page) in which case the default is v. When signing mode is enabled, one of the following combinations must also be set: (a) Domain, KeyFile, Selector, no KeyTable, no SigningTable; (b) KeyTable, SigningTable, no Domain, no KeyFile, no Selector; (c) KeyTable, SetupPolicyScript, no Domain, no KeyFile, no Selector.
File: /etc/opendkim.conf
Canonicalizationrelaxed/simpleModesv
Do not set Domain or SubDomains, they are not required because we will use SigningTable.
Do not set Selector, it is not required because we will use SigningTable.
Do not set KeyFile, it is not required because we will use KeyTable.
Add restart definitions to the end of the file.
AutoRestart (Boolean): Automatically re-start on failures. Use with caution; if the filter fails instantly after it starts, this can cause a tight fork(2) loop.
AutoRestartCount (integer): Sets the maximum automatic restart count. After this number of automatic restarts, the filter will give up and terminate. A value of 0 implies no limit; this is the default.
AutoRestartRate (string): Sets the maximum automatic restart rate. If the filter begins restarting faster than the rate defined here, it will give up and terminate. This is a string of the form n/t[u] where n is an integer limiting the count of restarts in the given interval and t[u] defines the time interval through which the rate is calculated; t is an integer and u defines the units thus represented ("s" or "S" for seconds, the default; "m" or "M" for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a value of "10/1h" limits the restarts to 10 in one hour. There is no default, meaning restart rate is not limited.
The next two configuration items will create maps for E-Mail Domains in the From: header, to keys used to sign messages.
KeyTable (dataset): Gives the location of a file mapping key names to signing keys. If present, overrides any KeyFile setting in the configuration file. The data set named here maps each key name to three values: (a) the name of the domain to use in the signature’s "d=" value; (b) the name of the selector to use in the signature’s "s=" value; and (c) either a private key or a path to a file containing a private key. If the first value consists solely of a percent sign ("%") character, it will be replaced by the apparent domain of the sender when generating a signature. If the third value starts with a slash ("/") character, or "./" or "../", then it is presumed to refer to a file from which the private key should be read, otherwise it is itself a PEM-encoded private key or a base64-encoded DER private key; a "%" in the third value in this case will be replaced by the apparent domain name of the sender. The SigningTable (see below) is used to select records from this table to be used to add signatures based on the message sender.
SigningTable (dataset): Defines a table used to select one or more signatures to apply to a message based on the address found in the From: header field. Keys in this table vary depending on the type of table used; values in this data set should include one field that contains a name found in the KeyTable (see above) that identifies which key should be used in generating the signature, and an optional second field naming the signer of the message that will be included in the "i=" tag in the generated signature. Note that the "i=" value will not be included in the signature if it conflicts with the signing domain (the "d=" value).
If the first field contains only a "%" character, it will be replaced by the domain found in the From: header field. Similarly, within the optional second field, any "%" character will be replaced by the domain found in the From: header field.
If this table specifies a regular expression file ("refile"), then the keys are wildcard patterns that are matched against the address found in the From: header field. Entries are checked in the order in which they appear in the file.
For all other database types, the full user@host is checked first, then simply host, then user@.domain (with all superdomains checked in sequence, so "foo.example.com" would first check "user@foo.example.com", then "user@.example.com", then "user@.com"), then .domain, then user@, and finally .
In any case, only the first match is applied, unless MultipleSignatures is enabled in which case all matches are applied.
Identifies a set of "external" hosts that may send mail through the server as one of the signing domains without credentials as such. This has the effect of suppressing the "external host (hostname) tried to send mail as (domain)" log messages. Entries in the data set should be of the same form as those of the PeerList option below. The set is empty by default.
A set of internal hosts whose mail should be signed
Identifies a set internal hosts whose mail should be signed rather than verified. Entries in this data set follow the same form as those of the PeerList option below. If not specified, the default of "127.0.0.1" is applied. Naturally, providing a value here overrides the default, so if mail from 127.0.0.1 should be signed, the list provided here should include that address explicitly.
File: /etc/opendkim.conf
InternalHosts refile:/etc/opendkim/TrustedHosts
Save and close the file.
Create Signing Table, Key Table and Trusted Hosts File
The first line tells OpenDKIM that if a sender on your server is using a @your-domain.com address, then it should be signed with the private key identified by default._domainkey.your-domain.com.
The second line tells that your sub-domains will be signed by the private key also.
Tell OpenDKIM if an email is from localhost or the same domain, then only sign the email, and not perform DKIM verification.
File: /etc/opendkim/TrustedHosts
127.0.0.1localhost.your-domain.com
Save and close the file.
Do not add an asterisk to the domain name like this: *.your-domain.com. Put only a dot before the domain name.
Generate Private/Public Keypair
DKIM is used to sign outgoing messages and verify incoming messages, so we need to generate a private key for signing and a public key for remote verifier. Only the public key will be published in DNS.
Create a separate folder for the domain.
sudo mkdir /etc/opendkim/keys/your-domain.com
Generate keys using opendkim-genkey tool.
You should rotate in new keys every once and a while for protection against private key leaks. Allow seven days before deleting the old keys for existing E-Mails to be delivered.
sudo opendkim-genkey -b 2048 -d your-domain.com -D /etc/opendkim/keys/your-domain.com -s default -v
opendkim-genkey: generating private key
opendkim-genkey: private key written to default.private
opendkim-genkey: extracting public key
opendkim-genkey: DNS TXT record written to default.txt
The above command will create 2048 bits keys. -d (domain) specifies the domain. -D (directory) specifies the directory where the keys will be stored and we use default as the selector (-s), also known as the name. Once the command is executed, the private key will be written to default.private file and the public key will be written to default.txt file.
sudo cat /etc/opendkim/keys/your-domain.com/default.txt
default._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAutisB7xnL1B1j88Er2VsEd6WuwifqSThKEcrnlkhnsVhs/UkCd2lHL+dZwivjbfH+4RXIP0LK9shGokPwaA2MHNH3GgAuWZ/Wb6ZrZwqDlmHy+H6Q0/cLsB2Py2HFthq1JUhHW31ZOIqa4qOn2suBntQdizGExHsuMMb1nJpu0lgFJLU848qPQO76QMTcC/TyssiCjLXXSQEsS"
"Kx0UmeODJ43NKAAS0OqkGBD2UE7/SW54bVpESK32lTIfzk91OdW+zDMzX6myToJtEE9WgOkgD2evSTp02dhKBBRkQvGJ0SF7el34e/smeS+XvodjjOvP2f3qW5cLvrCRByIkFzRwIDAQAB" ) ; ----- DKIM key default for your-domain.com
The string after the p parameter is the public key, it spans two lines in the cat output because the limit per line is 256 characters. It really should be one big long string with no quotes.
In your DNS manager,
* create a TXT record,
* enter default._domainkey in the name field.
* Copy everything between the parentheses and paste it into the value field of the DNS record. Delete all double quotes and white spaces in the value field. Join all the lines into one line.
If all else fails, you can configure OpenDKIM to use a TCP/IP socket instead of Unix local socket.
File: /etc/opendkim.conf
Socketinet:8892@localhost
File: /etc/postfix/main.cf
smtpd_milters = inet:127.0.0.1:8892
Restart OpenDKIM and Postfix.
sudo systemctl restart opendkim postfix
Now Postfix will connect to OpenDKIM via the TCP/IP socket.
Configuration Error in Email Client
DKIM signing could fail if you do not use STARTTLS or SSL/TLS.
Type
Port
Encryption
Password
SMTP
587
STARTTLS
Normal
IMAP
143
STARTTLS
Normal
SMTP
465
SSL/TLS
Normal
IMAP
993
SSL/TLS
Normal
Wrong Settings
Port 25 as the SMTP port in mail clients to submit outgoing emails.
No encryption method was selected.
Testing Email Score and Placement
Visit Mail-Tester https://www.mail-tester.com and send an E-Mail to the unique email address displayed on the home page. They will analyze it and return a sender score.
GlockApps https://glockapps.com/ will show you where your emails are being delivered at Gmail, Outlook, & all major ISPs.
What is DMARC?
DMARC stands for Domain-based message authentication, reporting and conformance. DMARC is a protcol for protecting your Internet Domain from abuse.
It extends SPF and DKIM using another DNS entry.
Originators of Internet Mail need to be able to associate reliable and authenticated domain identifiers with messages, communicate policies about messages that use those identifiers, and report about mail using those identifiers. These abilities have several benefits: Receivers can provide feedback to Domain Owners about the use of their domains; this feedback can provide valuable insight about the management of internal operations and the presence of external domain name abuse.
DMARC policies are published as a TXT record in DNS.
Before creating a DMARC record, you must first create SPF and DKIM records.
Send a test email from your domain, and check the raw email headers at the recipient’s mailbox.
Ensure the domain is the same in:
Return-path: you@domain
From: you@domain
d=domain in the DKIM signature
If the 3 domains are identical, then they are aligned.
If Return-Path: or DKIM d= uses a subdomain instead of the main domain name, then this is called relaxed alignment. If no subdomain is used and the main domain names are the same, it’s called strict alignment.
DMARC Record TXT
Domain Owner DMARC preferences are stored as DNS TXT records in subdomains named "_dmarc". For example, the Domain Owner of "example.com" would post DMARC preferences in a TXT record at "_dmarc.example.com".
In your Domain Registration DNS manager add a new TXT record.
v=DMARC1: Version (plain-text; REQUIRED). Identifies the record retrieved
as a DMARC record. It MUST have the value of "DMARC1".
p=none: Requested Mail Receiver policy (plain-text; REQUIRED for policy
records).
pct=100: (plain-text integer between 0 and 100, inclusive; OPTIONAL;
default is 100). Percentage of messages from the Domain Owner's
mail stream to which the DMARC policy is to be applied.
rua: Addresses to which aggregate feedback is to be sent (comma-
separated plain-text list of DMARC URIs; OPTIONAL).
There are 3 policies you can choose from:
none: The Domain Owner requests no specific action be taken
regarding delivery of messages.
quarantine: The Domain Owner wishes to have email that fails the
DMARC mechanism check be treated by Mail Receivers as
suspicious.
reject: The Domain Owner wishes for Mail Receivers to reject
email that fails the DMARC mechanism check. Rejection SHOULD
occur during the SMTP transaction.
Another option to consider is:
fo: Failure reporting options (plain-text; OPTIONAL; default is "0")
Provides requested options for generation of failure reports.
Report generators MAY choose to adhere to the requested options.
This tag's content MUST be ignored if a "ruf" tag (below) is not
also specified. The value of this tag is a colon-separated list
of characters that indicate failure reporting options as follows:
0: Generate a DMARC failure report if all underlying
authentication mechanisms fail to produce an aligned "pass"
result.
1: Generate a DMARC failure report if any underlying
authentication mechanism produced something other than an
aligned "pass" result.
d: Generate a DKIM failure report if the message had a signature
that failed evaluation, regardless of its alignment. DKIM-
specific reporting is described in [AFRF-DKIM].
s: Generate an SPF failure report if the message failed SPF
evaluation, regardless of its alignment. SPF-specific
reporting is described in [AFRF-SPF].
ruf: Addresses to which message-specific failure information is to
be reported (comma-separated plain-text list of DMARC URIs;
OPTIONAL). If present, the Domain Owner is requesting Mail
Receivers to send detailed failure reports about messages that
fail the DMARC evaluation in specific ways (see the "fo" tag
above).
Try fo=1 at first for detailed DMARC failure reports. When you change to a more restrictive policy, use fo=0.
Send an email from your domain to another domain's account. If DMARC is configured correctly then you will see dmarc=pass in the Authentication-Results: header.
Daily XML-based [1] aggregate report generated by Gmail, Yahoo, Hotmail, etc.
Real-time forensic reports (copies of individual pieces of email that fail the DMARC check)
Normally you only want to receive the aggregate (rua) report. The data that DMARC produces is invaluable for understanding what is going on for any given email domain. However, raw DMARC report data is super hard to read and understand.
Postmark offers a free service to process these reports. The nice part about Postmark is that you can tell receiving email servers to send XML reports directly to Postmark for processing. So instead of entering your email address in the DMARC record, you enter an email address of postmarkapp.com that is unique to you.
After your DMARC record has been verified by Postmark, you will receive a DMARC report weekly every Monday in your email inbox. You don’t need to register an account at Postmark.
Many other firms exist to create DMARC reports. If you are into a lot of E-Mail marketing, you should check some more out.
