spf – Random thoughts https://random.sphere.ro for when you get older and memory does't help you further Thu, 17 Sep 2020 12:32:31 +0000 en-AU hourly 1 https://wordpress.org/?v=6.7.5 DMARC / Spamassassin / Qmail https://random.sphere.ro/dmarc-on-spamassassin/ https://random.sphere.ro/dmarc-on-spamassassin/#comments Mon, 12 Aug 2019 09:10:03 +0000 https://random.sphere.ro/?p=93 There are a lot of articles regarding DMARC so i will not start again about what it is and what is useful for. Also i will not talk about the drawbacks when it’s implemented. I will instead give you a hint about where to generate a DMARC policy  and where to verify it. Until you…

Read More Read More

The post DMARC / Spamassassin / Qmail appeared first on Random thoughts.

]]> There are a lot of articles regarding DMARC so i will not start again about what it is and what is useful for. Also i will not talk about the drawbacks when it’s implemented. I will instead give you a hint about where to generate a DMARC policy  and where to verify it.

Until you understand the essence please also be very conservative about the policies that you apply. The example of deployment found it on google it provides the way you should do it as well. More exactly:

  1. p=none pct=100
  2. p=quarantine pct=1
  3. p=quarantine pct=5
  4. p=quarantine pct=10
  5. p=quarantine pct=25
  6. p=quarantine pct=50
  7. p=quarantine pct=100
  8. p=reject pct=1
  9. p=reject pct=5
  10. p=reject pct=10
  11. p=reject pct=25
  12. p=reject pct=50
  13. p=reject pct=100

Now that you already implemented it you might receive reports(if you provided rua/ruf) about what is happening with your domains.

But what about implementing DMARC in your MTA? Usually the straight answer will be opendmarc but depending your MTA the installation will not be very  easy. Since here we will talk about Qmail the solutions found by me in this moment are:

1) Qpsmtpd and opendmarc. Please also see.

2) A perl plugin written for spam-assassin.

3) Using AskDNS plugin already available in spamassasin like this:

ifplugin Mail::SpamAssassin::Plugin::AskDNS
askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/
askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/
askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/

meta DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_REJECT
score DMARC_REJECT 10
meta DMARC_QUAR !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_QUAR
score DMARC_QUAR 5
meta DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_NONE
score DMARC_NONE 0.1
endif

Obviously edit the scores according to you needs.

4) After this article was written I’ve found out from here (btw great blog about qmail)  there is another tool to use it. You can find it here.

So, what was your solution for Qmail and DMARC ? What do you use ? How do you use it ?

 

Later edit(17/09/2020): A plugin for spamassassin was created. This is maintained and i believe it will introduced in core in the next releases. You can find references here and here.

 

 

The post DMARC / Spamassassin / Qmail appeared first on Random thoughts.

]]> https://random.sphere.ro/dmarc-on-spamassassin/feed/ 8