DMARC / Spamassassin / Qmail

DMARC / Spamassassin / Qmail

There are a lot of articles regarding DMARC so i will not start again about what it is and what is useful for. Also i will not talk about the drawbacks when it’s implemented. I will instead give you a hint about where to generate a DMARC policy  and where to verify it.

Until you understand the essence please also be very conservative about the policies that you apply. The example of deployment found it on google it provides the way you should do it as well. More exactly:

  1. p=none pct=100
  2. p=quarantine pct=1
  3. p=quarantine pct=5
  4. p=quarantine pct=10
  5. p=quarantine pct=25
  6. p=quarantine pct=50
  7. p=quarantine pct=100
  8. p=reject pct=1
  9. p=reject pct=5
  10. p=reject pct=10
  11. p=reject pct=25
  12. p=reject pct=50
  13. p=reject pct=100

Now that you already implemented it you might receive reports(if you provided rua/ruf) about what is happening with your domains.

But what about implementing DMARC in your MTA? Usually the straight answer will be opendmarc but depending your MTA the installation will not be very  easy. Since here we will talk about Qmail the solutions found by me in this moment are:

1) Qpsmtpd and opendmarc. Please also see.

2) A perl plugin written for spam-assassin.

3) Using AskDNS plugin already available in spamassasin like this:

ifplugin Mail::SpamAssassin::Plugin::AskDNS
askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/
askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/
askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/

meta DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_REJECT
score DMARC_REJECT 10
meta DMARC_QUAR !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_QUAR
score DMARC_QUAR 5
meta DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_NONE
score DMARC_NONE 0.1
endif

Obviously edit the scores according to you needs.

4) After this article was written I’ve found out from here (btw great blog about qmail)  there is another tool to use it. You can find it here.

So, what was your solution for Qmail and DMARC ? What do you use ? How do you use it ?

One Reply to “DMARC / Spamassassin / Qmail”

  1. Hi, I’ve just tested askDNS as recommended above and it just works! Thank you, I think I’m going to add a note about it on my blog as well and refer to this page for additional info

Leave a Reply

Your email address will not be published. Required fields are marked *