{"id":362,"date":"2016-05-05T02:02:23","date_gmt":"2016-05-05T00:02:23","guid":{"rendered":"https:\/\/blog.unetresgrossebite.com\/?p=362"},"modified":"2016-05-05T02:44:09","modified_gmt":"2016-05-05T00:44:09","slug":"dmarc","status":"publish","type":"post","link":"https:\/\/blog.unetresgrossebite.com\/?p=362","title":{"rendered":"DMARC"},"content":{"rendered":"<p>Today we will discuss DMARC,\u00a0<a href=\"https:\/\/tools.ietf.org\/html\/rfc7489\">a relatively new standard<\/a>, considering the <a href=\"https:\/\/tools.ietf.org\/html\/rfc821\">aging protocol<\/a> it applies to.<\/p>\n<p>DMARC stands for\u00a0Domain-based Message Authentication Reporting and Conformance. It\u00a0relies on a couple older standards: DKIM (discussed <a href=\"https:\/\/blog.unetresgrossebite.com\/?p=105\">here<\/a>) and SPF. Having properly configured both, setting up DMARC is just a formality.<\/p>\n<p>DMARC can be used to audit your mail system, getting reports on who sends messages and where are they sent from. Although\u00a0DMARC&#8217;s main purpose is more likely to address\u00a0phishing. Then again, as for DKIM or SPF, DMARC&#8217;s effectiveness is strongly\u00a0bound to its adoption.<\/p>\n<p>DMARC relies on a TXT record, defining\u00a0a policy for your domain (not to be confused with SPF), which would ultimately instruct\u00a0remote SMTP servers on how to treat messages not matching &#8220;sender alignment&#8221; (the <em>From<\/em> field of your envelope, the <em>From<\/em> field of your headers and your DKIM signature must match). Additionally, you could also request for reports to be send back to some third-party mailbox.<\/p>\n<p>Our TXT record would be a semicolon-separated concatenation of &#8220;tags&#8221;. The first\u00a0couple tags being mandatory, and several others optional:<\/p>\n<ul>\n<li><em>v<\/em> is the (required) protocol version, usually <em>v=DMARC1<\/em><\/li>\n<li><em>p<\/em> is the (required) policy for your domain, can be <em>p=reject<\/em>, <em>p=none<\/em> or <em>p=quarantine<\/em><\/li>\n<li><em>sp<\/em> is the policy that should be applied for messages sent by sub-domains of the zone you are configuring. Defaults to your global (<em>p<\/em>) policy, although you may not want it so (<em>p=quarantine;sp=reject<\/em>)<\/li>\n<li><em>rua<\/em> is the address where aggregate DMARC reports should be sent to, would look like\u00a0<em>rua=mailto:admins@example.com<\/em>, note that if the report receiver&#8217;s mailbox is not served within the domain you are defining this DMARC tag in, there is some <a href=\"http:\/\/www.zytrax.com\/books\/dns\/ch9\/dmarc.html#rua\">additional DNS record to defined on the receiver&#8217;s end<\/a><\/li>\n<li><em>ruf<\/em> is the (optional) address where forensic DMARC reports should be sent to, works pretty much as <em>rua<\/em> does<\/li>\n<li><em>rf<\/em> is the format for failure reports. Defaults to AFRF (<em>rf=afrf<\/em>) which is defined by <a href=\"https:\/\/tools.ietf.org\/html\/rfc5965\">RFC5965<\/a>, can be set to IODEF (<em>rf=iodef<\/em>) which is defined by <a href=\"https:\/\/tools.ietf.org\/html\/rfc5070\">RFC5070<\/a>.<\/li>\n<li><em>ri<\/em> is the amount of seconds to wait between sending aggregate reports. Defaults to 86400 (<em>ri=86400<\/em>), sending a report per day.<\/li>\n<li><em>fo<\/em> instruct the receiving MTA on what kind of reports are expected from the sender&#8217;s side. Defaults to 0\u00a0(<em>fo=0<\/em>) which triggers a report if both DKIM and SPF checks fail. Can be a set to a 1 (<em>fo=1<\/em>), sending reports if any of DKIM and SPF checks fail. Can be set to d (<em>fo=d<\/em>) to send reports if DKIM check failed or s (<em>fo=s<\/em>) if SPF check failed. May be set to a colon-separated concatenation of values (<em>fo=d:s<\/em>).<\/li>\n<li><em>pct<\/em> is the percentage of messages that should be processed according to your DMARC policy, can be used to gradually adopt DMARC. Defaults to 100 (<em>pct=100<\/em>)<\/li>\n<li><em>adkim<\/em> defines how to check for sender\u00a0alignment. Defaults to relaxed (<em>adkim=r<\/em>), meaning that as long as your\u00a0sender address&#8217;s domain matches the DKIM domain, or any of its sub-domain, your message will match. Can be set to strict (<em>adkim=s<\/em>), to ensure your sender&#8217;s domain is an exact match for your DKIM signature.<\/li>\n<li><em>aspf<\/em>\u00a0defaults to relaxed (<em>aspf=r<\/em>) which allows you to use distinct sub-domain, setting the <em>From<\/em> field\u00a0of your envelope and your headers. Can be set to strict (<em>aspf=s<\/em>) ensuring these match.<\/li>\n<\/ul>\n<p>In most cases, the defaults would suit you. Better define reporting address though, and make sure you&#8217;ll receive alerts for both SPF and DKIM errors. A minimalist record would look like:<\/p>\n<p><code>$ORIGIN example.com.<br \/>\n_dmarc TXT \"v=DMARC1;p=quarantine;fo=1;rua=mailto:monitoring@example.com;ruf=mailto:admins@example.com\"<\/code><\/p>\n<p>Ultimately, you may want to drop unexpected sub-domain communications as well:<br \/>\n<code>$ORIGIN example.com.<br \/>\n_dmarc TXT \"v=DMARC1;p=quarantine;sp=drop;adkim=s;aspf=s;fo=1;rua=mailto:monitoring@example.com;ruf=mailto:admins@example.com\"<\/code><\/p>\n<p>Note that in their support, Google recommends <a href=\"https:\/\/support.google.com\/a\/answer\/2466563?hl=en\">slow adoption<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today we will discuss DMARC,\u00a0a relatively new standard, considering the aging protocol it applies to. DMARC stands for\u00a0Domain-based Message Authentication Reporting and Conformance. It\u00a0relies on a couple older standards: DKIM (discussed here) and SPF. Having properly configured both, setting up DMARC is just a formality. DMARC can be used to audit your mail system, getting [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[8,10,6,2],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/posts\/362"}],"collection":[{"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=362"}],"version-history":[{"count":5,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/posts\/362\/revisions"}],"predecessor-version":[{"id":364,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/posts\/362\/revisions\/364"}],"wp:attachment":[{"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=362"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=362"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=362"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}