DMARC, SPF and DKIM

Russell Coker russell at coker.com.au
Thu Dec 24 12:50:09 AEDT 2015


On Thu, 24 Dec 2015 08:38:07 AM Jason White via luv-main wrote:
> I've spent time today trying to configure SPF, DKIM and DMARC for my
> domain.
> 
> Experience will determine how successful I have been.
> 
> The next step is to configure my mail system, running Postfix, to check
> inbound mail using these mechanisms. Which tool do others prefer for this
> purpose?

I use opendkim to check DKIM and also sign outbound messages.  In almost all 
cases the program that signs messages will also check messages - assuming you 
use the same server for inbound and outbound mail.

I use the Debian package postfix-policyd-spf-perl for SPF checks.

I think that SpamAssassin does SPF checks by default and you can also configure 
it to use DKIM check results to add to the score (if you don't want to just 
reject mail that fails DKIM).

> My DMARC record may be too strict; I essentially copied an example from
> http://www.zytrax.com/books/dns/ch9/dmarc.html (with a slight modification
> to change the address to which reports are sent). If necessary, I can
> switch to a "quarantine" rather than a "reject" policy for SPF, DKIM or
> both.

Most mailing lists break SPF and DKIM so a reject will cause you some problems 
if you use many lists.

> Mailing list servers and their treatment of DKIM would be my main concern,
> although in such cases, if I understand rightly, the recipient should use
> the list server's DMARC record to determine the policy rather than mine,
> since it's the list server which is actually sending the mail out.

That's only if the header is modified for the mail to be "from" the list.  
Doing that requires a recent version of Mailman (in this case Debian/Jessie 
not Debian/Wheezy) and being willing to turn it on.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/


More information about the luv-main mailing list