amorfo77/parsedmarc
1
0
Fork 0
mirror of https://github.com/domainaware/parsedmarc.git synced 2026-02-17 07:03:58 +00:00
Code Issues Projects Releases Wiki Activity
Files
47e5804aef16717759e84e5657371e3c8778ee8b
parsedmarc/dmarc.html
Sean Whalen 47e5804aef Update docs
2026-01-22 20:59:25 -05:00

472 lines
21 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<!DOCTYPE html>
<html class="writer-html5" lang="en" data-content_root="./">
<head>
<meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Understanding DMARC &mdash; parsedmarc 9.0.10 documentation</title>
<link rel="stylesheet" type="text/css" href="_static/pygments.css?v=b86133f3" />
<link rel="stylesheet" type="text/css" href="_static/css/theme.css?v=9edc463e" />
<script src="_static/jquery.js?v=5d32c60e"></script>
<script src="_static/_sphinx_javascript_frameworks_compat.js?v=2cd50e6c"></script>
<script src="_static/documentation_options.js?v=164cc7e6"></script>
<script src="_static/doctools.js?v=fd6eb6e6"></script>
<script src="_static/sphinx_highlight.js?v=6ffebe34"></script>
<script src="_static/js/theme.js"></script>
<link rel="index" title="Index" href="genindex.html" />
<link rel="search" title="Search" href="search.html" />
<link rel="next" title="Contributing to parsedmarc" href="contributing.html" />
<link rel="prev" title="Accessing an inbox using OWA/EWS" href="davmail.html" />
</head>
<body class="wy-body-for-nav">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" >
<a href="index.html" class="icon icon-home">
parsedmarc
</a>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="search.html" method="get">
<input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div><div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
<p class="caption" role="heading"><span class="caption-text">Contents</span></p>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="installation.html">Installation</a></li>
<li class="toctree-l1"><a class="reference internal" href="usage.html">Using parsedmarc</a></li>
<li class="toctree-l1"><a class="reference internal" href="output.html">Sample outputs</a></li>
<li class="toctree-l1"><a class="reference internal" href="elasticsearch.html">Elasticsearch and Kibana</a></li>
<li class="toctree-l1"><a class="reference internal" href="opensearch.html">OpenSearch and Grafana</a></li>
<li class="toctree-l1"><a class="reference internal" href="kibana.html">Using the Kibana dashboards</a></li>
<li class="toctree-l1"><a class="reference internal" href="splunk.html">Splunk</a></li>
<li class="toctree-l1"><a class="reference internal" href="davmail.html">Accessing an inbox using OWA/EWS</a></li>
<li class="toctree-l1 current"><a class="current reference internal" href="#">Understanding DMARC</a><ul>
<li class="toctree-l2"><a class="reference internal" href="#resources">Resources</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#dmarc-guides">DMARC guides</a></li>
<li class="toctree-l3"><a class="reference internal" href="#spf-and-dmarc-record-validation">SPF and DMARC record validation</a></li>
<li class="toctree-l3"><a class="reference internal" href="#lookalike-domains">Lookalike domains</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#dmarc-alignment-guide">DMARC Alignment Guide</a></li>
<li class="toctree-l2"><a class="reference internal" href="#what-if-a-sender-wont-support-dkim-dmarc">What if a sender wont support DKIM/DMARC?</a></li>
<li class="toctree-l2"><a class="reference internal" href="#what-about-mailing-lists">What about mailing lists?</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#mailing-list-best-practices">Mailing list best practices</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#do">Do</a></li>
<li class="toctree-l4"><a class="reference internal" href="#do-not">Do not</a></li>
<li class="toctree-l4"><a class="reference internal" href="#mailman-2">Mailman 2</a></li>
<li class="toctree-l4"><a class="reference internal" href="#mailman-3">Mailman 3</a></li>
<li class="toctree-l4"><a class="reference internal" href="#listserv">LISTSERV</a></li>
<li class="toctree-l4"><a class="reference internal" href="#workarounds">Workarounds</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="contributing.html">Contributing to parsedmarc</a></li>
<li class="toctree-l1"><a class="reference internal" href="api.html">API reference</a></li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"><nav class="wy-nav-top" aria-label="Mobile navigation menu" >
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="index.html">parsedmarc</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="Page navigation">
<ul class="wy-breadcrumbs">
<li><a href="index.html" class="icon icon-home" aria-label="Home"></a></li>
<li class="breadcrumb-item active">Understanding DMARC</li>
<li class="wy-breadcrumbs-aside">
<a href="_sources/dmarc.md.txt" rel="nofollow"> View page source</a>
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<section class="tex2jax_ignore mathjax_ignore" id="understanding-dmarc">
<h1>Understanding DMARC<a class="headerlink" href="#understanding-dmarc" title="Link to this heading"></a></h1>
<section id="resources">
<h2>Resources<a class="headerlink" href="#resources" title="Link to this heading"></a></h2>
<section id="dmarc-guides">
<h3>DMARC guides<a class="headerlink" href="#dmarc-guides" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p><a class="reference external" href="https://seanthegeek.net/459/demystifying-dmarc/">Demystifying DMARC</a> - A complete guide to SPF, DKIM, and DMARC</p></li>
</ul>
</section>
<section id="spf-and-dmarc-record-validation">
<h3>SPF and DMARC record validation<a class="headerlink" href="#spf-and-dmarc-record-validation" title="Link to this heading"></a></h3>
<p>If you are looking for SPF and DMARC record validation and parsing,
check out the sister project,
<a class="reference external" href="https://domainaware.github.io/checkdmarc/">checkdmarc</a>.</p>
</section>
<section id="lookalike-domains">
<h3>Lookalike domains<a class="headerlink" href="#lookalike-domains" title="Link to this heading"></a></h3>
<p>DMARC protects against domain spoofing, not lookalike domains. for open source
lookalike domain monitoring, check out <a class="reference external" href="https://github.com/seanthegeek/domainaware">DomainAware</a>.</p>
</section>
</section>
<section id="dmarc-alignment-guide">
<h2>DMARC Alignment Guide<a class="headerlink" href="#dmarc-alignment-guide" title="Link to this heading"></a></h2>
<p>DMARC ensures that SPF and DKM authentication mechanisms actually authenticate
against the same domain that the end user sees.</p>
<p>A message passes a DMARC check by passing DKIM or SPF, <strong>as long as the related
indicators are also in alignment</strong>.</p>
<table class="docutils align-default">
<tbody>
<tr class="row-odd"><td></td>
<td><p><strong>DKIM</strong></p></td>
<td><p><strong>SPF</strong></p></td>
</tr>
<tr class="row-even"><td><p><strong>Passing</strong></p></td>
<td><p>The signature in the
DKIM header is
validated using a
public key that is
published as a DNS
record of the domain
name specified in the
signature</p></td>
<td><p>The mail servers IP
address is listed in
the SPF record of the
domain in the SMTP
envelopes mail from
header</p></td>
</tr>
<tr class="row-odd"><td><p><strong>Alignment</strong></p></td>
<td><p>The signing domain
aligns with the
domain in the
messages from header</p></td>
<td><p>The domain in the
SMTP envelopes mail
from header aligns
with the domain in
the messages from
header</p></td>
</tr>
</tbody>
</table>
</section>
<section id="what-if-a-sender-wont-support-dkim-dmarc">
<h2>What if a sender wont support DKIM/DMARC?<a class="headerlink" href="#what-if-a-sender-wont-support-dkim-dmarc" title="Link to this heading"></a></h2>
<ol class="arabic simple">
<li><p>Some vendors dont know about DMARC yet; ask about SPF and DKIM/email
authentication.</p></li>
<li><p>Check if they can send through your email relays instead of theirs.</p></li>
<li><p>Do they really need to spoof your domain? Why not use the display
name instead?</p></li>
<li><p>Worst case, have that vendor send email as a specific subdomain of
your domain (e.g. <code class="docutils literal notranslate"><span class="pre">noreply&#64;news.example.com</span></code>), and then create
separate SPF and DMARC records on <code class="docutils literal notranslate"><span class="pre">news.example.com</span></code>, and set
<code class="docutils literal notranslate"><span class="pre">p=none</span></code> in that DMARC record.</p></li>
</ol>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Do not alter the <code class="docutils literal notranslate"><span class="pre">p</span></code> or <code class="docutils literal notranslate"><span class="pre">sp</span></code> values of the DMARC record on the
Top-Level Domain (TLD) that would leave you vulnerable to
spoofing of your TLD and/or any subdomain.</p>
</div>
</section>
<section id="what-about-mailing-lists">
<h2>What about mailing lists?<a class="headerlink" href="#what-about-mailing-lists" title="Link to this heading"></a></h2>
<p>When you deploy DMARC on your domain, you might find that messages
relayed by mailing lists are failing DMARC, most likely because the mailing
list is spoofing your from address, and modifying the subject,
footer, or other part of the message, thereby breaking the
DKIM signature.</p>
<section id="mailing-list-best-practices">
<h3>Mailing list best practices<a class="headerlink" href="#mailing-list-best-practices" title="Link to this heading"></a></h3>
<p>Ideally, a mailing list should forward messages without altering the
headers or body content at all. <a class="reference external" href="https://begriffs.com/posts/2018-09-18-dmarc-mailing-list.html">Joe Nelson</a> does a fantastic job of
explaining exactly what mailing lists should and shouldnt do to be
fully DMARC compliant. Rather than repeat his fine work, heres a
summary:</p>
<section id="do">
<h4>Do<a class="headerlink" href="#do" title="Link to this heading"></a></h4>
<ul class="simple">
<li><p>Retain headers from the original message</p></li>
<li><p>Add <a class="reference external" href="https://tools.ietf.org/html/rfc2369">RFC 2369</a> List-Unsubscribe headers to outgoing messages, instead of
adding unsubscribe links to the body</p></li>
</ul>
<blockquote>
<div><p>List-Unsubscribe: <a class="reference external" href="https://list.example.com/unsubscribe-link">https://list.example.com/unsubscribe-link</a></p>
</div></blockquote>
<ul>
<li><p>Add <a class="reference external" href="https://tools.ietf.org/html/rfc2919">RFC 2919</a> List-Id headers instead of modifying the subject</p>
<blockquote>
<div><p>List-Id: Example Mailing List &lt;<a class="reference external" href="http://list.example.com">list.example.com</a>&gt;</p>
</div></blockquote>
</li>
</ul>
<p>Modern mail clients and webmail services generate unsubscribe buttons based on
these headers.</p>
</section>
<section id="do-not">
<h4>Do not<a class="headerlink" href="#do-not" title="Link to this heading"></a></h4>
<ul class="simple">
<li><p>Remove or modify any existing headers from the original message, including
From, Date, Subject, etc.</p></li>
<li><p>Add to or remove content from the message body, <strong>including traditional
disclaimers and unsubscribe footers</strong></p></li>
</ul>
<p>In addition to complying with DMARC, this configuration ensures that Reply
and Reply All actions work like they would with any email message. Reply
replies to the message sender, and Reply All replies to the sender and the
list.</p>
<p>Even without a subject prefix or body footer, mailing list users can still
tell that a message came from the mailing list, because the message was sent
to the mailing list post address, and not their email address.</p>
<p>Configuration steps for common mailing list platforms are listed below.</p>
</section>
<section id="mailman-2">
<h4>Mailman 2<a class="headerlink" href="#mailman-2" title="Link to this heading"></a></h4>
<p>Navigate to General Settings, and configure the settings below</p>
<table class="docutils align-default">
<tbody>
<tr class="row-odd"><td><p><strong>Setting</strong></p></td>
<td><p><strong>Value</strong></p></td>
</tr>
<tr class="row-even"><td><p><strong>subject_prefix</strong></p></td>
<td></td>
</tr>
<tr class="row-odd"><td><p><strong>from_is_list</strong></p></td>
<td><p>No</p></td>
</tr>
<tr class="row-even"><td><p><strong>first_strip_reply_to</strong></p></td>
<td><p>No</p></td>
</tr>
<tr class="row-odd"><td><p><strong>reply_goes_to_list</strong></p></td>
<td><p>Poster</p></td>
</tr>
<tr class="row-even"><td><p><strong>include_rfc2369_headers</strong></p></td>
<td><p>Yes</p></td>
</tr>
<tr class="row-odd"><td><p><strong>include_list_post_header</strong></p></td>
<td><p>Yes</p></td>
</tr>
<tr class="row-even"><td><p><strong>include_sender_header</strong></p></td>
<td><p>No</p></td>
</tr>
</tbody>
</table>
<p>Navigate to Non-digest options, and configure the settings below</p>
<table class="docutils align-default">
<tbody>
<tr class="row-odd"><td><p><strong>Setting</strong></p></td>
<td><p><strong>Value</strong></p></td>
</tr>
<tr class="row-even"><td><p><strong>msg_header</strong></p></td>
<td></td>
</tr>
<tr class="row-odd"><td><p><strong>msg_footer</strong></p></td>
<td></td>
</tr>
<tr class="row-even"><td><p><strong>scrub_nondigest</strong></p></td>
<td><p>No</p></td>
</tr>
</tbody>
</table>
<p>Navigate to Privacy Options&gt; Sending Filters, and configure the settings below</p>
<table class="docutils align-default">
<tbody>
<tr class="row-odd"><td><p><strong>Setting</strong></p></td>
<td><p><strong>Value</strong></p></td>
</tr>
<tr class="row-even"><td><p><strong>dmarc_moderation_action</strong></p></td>
<td><p>Accept</p></td>
</tr>
<tr class="row-odd"><td><p><strong>dmarc_quarantine_moderation_action</strong></p></td>
<td><p>Yes</p></td>
</tr>
<tr class="row-even"><td><p><strong>dmarc_none_moderation_action</strong></p></td>
<td><p>Yes</p></td>
</tr>
</tbody>
</table>
</section>
<section id="mailman-3">
<h4>Mailman 3<a class="headerlink" href="#mailman-3" title="Link to this heading"></a></h4>
<p>Navigate to Settings&gt; List Identity</p>
<p>Make Subject prefix blank.</p>
<p>Navigate to Settings&gt; Alter Messages</p>
<p>Configure the settings below</p>
<table class="docutils align-default">
<tbody>
<tr class="row-odd"><td><p><strong>Setting</strong></p></td>
<td><p><strong>Value</strong></p></td>
</tr>
<tr class="row-even"><td><p><strong>Convert html to plaintext</strong></p></td>
<td><p>No</p></td>
</tr>
<tr class="row-odd"><td><p><strong>Include RFC2369 headers</strong></p></td>
<td><p>Yes</p></td>
</tr>
<tr class="row-even"><td><p><strong>Include the list post header</strong></p></td>
<td><p>Yes</p></td>
</tr>
<tr class="row-odd"><td><p><strong>Explicit reply-to address</strong></p></td>
<td></td>
</tr>
<tr class="row-even"><td><p><strong>First strip replyto</strong></p></td>
<td><p>No</p></td>
</tr>
<tr class="row-odd"><td><p><strong>Reply goes to list</strong></p></td>
<td><p>No munging</p></td>
</tr>
</tbody>
</table>
<p>Navigate to Settings&gt; DMARC Mitigation</p>
<p>Configure the settings below</p>
<table class="docutils align-default">
<tbody>
<tr class="row-odd"><td><p><strong>Setting</strong></p></td>
<td><p><strong>Value</strong></p></td>
</tr>
<tr class="row-even"><td><p><strong>DMARC mitigation action</strong></p></td>
<td><p>No DMARC mitigations</p></td>
</tr>
<tr class="row-odd"><td><p><strong>DMARC mitigate unconditionally</strong></p></td>
<td><p>No</p></td>
</tr>
</tbody>
</table>
<p>Create a blank footer template for your mailing list to remove the message
footer. Unfortunately, the Postorius mailing list admin UI will not allow you
to create an empty template, so youll have to create one using the systems
command line instead, for example:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>touch<span class="w"> </span>var/templates/lists/list.example.com/en/list:member:regular:footer
</pre></div>
</div>
<p>Where <code class="docutils literal notranslate"><span class="pre">list.example.com</span></code> the list ID, and <code class="docutils literal notranslate"><span class="pre">en</span></code> is the language.</p>
<p>Then restart mailman core.</p>
</section>
<section id="listserv">
<h4>LISTSERV<a class="headerlink" href="#listserv" title="Link to this heading"></a></h4>
<p><a class="reference external" href="https://www.lsoft.com/news/dmarc-issue1-2018.asp">LISTSERV 16.0-2017a</a> and higher will rewrite the From header for domains
that enforce with a DMARC quarantine or reject policy.</p>
<p>Some additional steps are needed for Linux hosts.</p>
</section>
<section id="workarounds">
<h4>Workarounds<a class="headerlink" href="#workarounds" title="Link to this heading"></a></h4>
<p>If a mailing list must go <strong>against</strong> best practices and
modify the message (e.g. to add a required legal footer), the mailing
list administrator must configure the list to replace the From address of the
message (also known as munging) with the address of the mailing list, so they
no longer spoof email addresses with domains protected by DMARC.</p>
<p>Configuration steps for common mailing list platforms are listed below.</p>
<section id="id1">
<h5>Mailman 2<a class="headerlink" href="#id1" title="Link to this heading"></a></h5>
<p>Navigate to Privacy Options&gt; Sending Filters, and configure the settings below</p>
<table class="docutils align-default">
<tbody>
<tr class="row-odd"><td><p><strong>Setting</strong></p></td>
<td><p><strong>Value</strong></p></td>
</tr>
<tr class="row-even"><td><p><strong>dmarc_moderation_action</strong></p></td>
<td><p>Munge From</p></td>
</tr>
<tr class="row-odd"><td><p><strong>dmarc_quarantine_moderation_action</strong></p></td>
<td><p>Yes</p></td>
</tr>
<tr class="row-even"><td><p><strong>dmarc_none_moderation_action</strong></p></td>
<td><p>Yes</p></td>
</tr>
</tbody>
</table>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Message wrapping could be used as the DMARC mitigation action instead. In
that case, the original message is added as an attachment to the mailing
list message, but that could interfere with inbox searching, or mobile
clients.</p>
<p>On the other hand, replacing the From address might cause users to
accidentally reply to the entire list, when they only intended to reply to
the original sender.</p>
<p>Choose the option that best fits your community.</p>
</div>
</section>
<section id="id2">
<h5>Mailman 3<a class="headerlink" href="#id2" title="Link to this heading"></a></h5>
<p>In the DMARC Mitigations tab of the Settings page, configure the settings below</p>
<table class="docutils align-default">
<tbody>
<tr class="row-odd"><td><p><strong>Setting</strong></p></td>
<td><p><strong>Value</strong></p></td>
</tr>
<tr class="row-even"><td><p><strong>DMARC mitigation action</strong></p></td>
<td><p>Replace From: with list address</p></td>
</tr>
<tr class="row-odd"><td><p><strong>DMARC mitigate unconditionally</strong></p></td>
<td><p>No</p></td>
</tr>
</tbody>
</table>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Message wrapping could be used as the DMARC mitigation action instead. In
that case, the original message is added as an attachment to the mailing
list message, but that could interfere with inbox searching, or mobile
clients.</p>
<p>On the other hand, replacing the From address might cause users to
accidentally reply to the entire list, when they only intended to reply to
the original sender.</p>
</div>
</section>
</section>
</section>
</section>
</section>
</div>
</div>
<footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
<a href="davmail.html" class="btn btn-neutral float-left" title="Accessing an inbox using OWA/EWS" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
<a href="contributing.html" class="btn btn-neutral float-right" title="Contributing to parsedmarc" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
</div>
<hr/>
<div role="contentinfo">
<p>&#169; Copyright 2018 - 2025, Sean Whalen and contributors.</p>
</div>
Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
<a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
<script>
jQuery(function () {
SphinxRtdTheme.Navigation.enable(true);
});
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink