BIND : Set DMARC record2024/07/17 |
Configure a DMARC (Domain-based Message Authentication, Reporting, and Conformance) record to indicate that your mail server is protected by SPF/DKIM. |
|
[1] |
DMARC is a setting that registers in your DNS record what to do when SPF or DKIM authentication fails, and instructs the recipient of the email. |
[2] | Configure a DMARC record in the zone file that contains the target domain name. |
root@dlp:~#
vi /etc/bind/srv.world.wan $TTL 86400 @ IN SOA dlp.srv.world. root.srv.world. ( ;; update serial number 2024071501 ;Serial 3600 ;Refresh 1800 ;Retry 604800 ;Expire 86400 ;Minimum TTL ) IN NS dlp.srv.world. IN A 172.16.0.82 IN MX 10 dlp.srv.world. IN TXT "v=spf1 +ip4:172.16.0.82 -all" dlp IN A 172.16.0.82 www IN A 172.16.0.83 20240712._domainkey IN TXT "v=DKIM1; h=sha256; k=rsa; ""p=MIIBIjANBgkqh....." ;; add to last line _dmarc IN TXT "v=DMARC1; p=none;"root@dlp:~# rndc reload |
[3] | Other options for your DMARC record. |
;; [v=DMARC1] ⇒ DMARC version ;; [p=***] : action policy when authentication fails ;; - [none] ⇒ do nothing ;; - [quarantine] ⇒ quarantined in junk mail folder ;; - [reject] ⇒ reject email ;; [rua=mailto:***] : the address to which aggregate reports will be sent ;; * if not specified, no aggregate report will be sent ;; * if specify multiple addresses, separate them with commas (,) _dmarc IN TXT "v=DMARC1; p=none; rua=mailto:admin@srv.world,webmaster@srv.world" ;; [ruf=mailto:***] : the address to which failure reports will be sent ;; * if not specified, no failure report will be sent ;; * if specify multiple addresses, separate them with commas (,) _dmarc IN TXT "v=DMARC1; p=none; ruf=mailto:admin@srv.world,webmaster@srv.world" ;; [sp=***] : action policy when authentication of subdomain fails ;; * if not specified, the setting of [p=***] will be inherited ;; - [none] ⇒ do nothing ;; - [quarantine] ⇒ quarantined in junk mail folder ;; - [reject] ⇒ reject email _dmarc IN TXT "v=DMARC1; p=none; sp=reject; rua=mailto:admin@srv.world" ;; [pct=***] : percentage of emails that the policy covers ;; * specify with [1-100] ;; * if not specified, it is set to [pct=100] _dmarc IN TXT "v=DMARC1; p=none; pct=50; rua=mailto:admin@srv.world" ;; [fo=***] : action options for sending failure reports (when ruf=*** is enabled) ;; - [0] ⇒ both DKIM and SPF authentication fails (default if not specified) ;; - [1] ⇒ either DKIM or SPF authentication failed ;; - [d] ⇒ DKIM authentication failed ;; - [s] ⇒ SPF authentication failed ;; [aspf=***] : SPF authentication alignment mode ;; - [s] ⇒ strict mode : exact domain match (default if not specified) ;; - [r] ⇒ relaxed mode : partial domain match ;; [adkim=***] : DKIM authentication alignment mode ;; - [s] ⇒ strict mode : exact domain match (default if not specified) ;; - [r] ⇒ relaxed mode : partial domain match ;; [rf=afrf] : DMARC authentication failure report format ;; * currently only [rf=afrf] (default if not specified) ;; [ri=***] : aggregate report sending interval (in seconds) ;; * if not specified, the default value is [ri=86400] (24 hours) |
[4] |
The following website allows you to check the description of the DMARC record you have set, so it is a good idea to check it out. If there are no problems with the DMARC record settings, when you send an email from the mail server of the configured domain to Gmail etc., the header will show [DMARC: 'PASS']. |
Sponsored Link |
|