amorfo77/parsedmarc
1
0
Fork 0
mirror of https://github.com/domainaware/parsedmarc.git synced 2026-03-02 21:06:28 +00:00
Code Issues Projects Releases Wiki Activity
Files
f6c0a4ecbcfbc069cc1a4a53dfdff77cafb8358a
parsedmarc/docs/source/dmarc.md
Sean Whalen cd475255c5 Documentation cleanup
2023-05-03 16:44:15 -04:00

72 lines
3.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Understanding DMARC
## Resources
### DMARC guides
- [Demystifying DMARC] - A complete guide to SPF, DKIM, and DMARC
[demystifying dmarc]: https://seanthegeek.net/459/demystifying-dmarc/
### SPF and DMARC record validation
If you are looking for SPF and DMARC record validation and parsing,
check out the sister project,
[checkdmarc](https://domainaware.github.io/checkdmarc/).
### Lookalike domains
DMARC protects against domain spoofing, not lookalike domains. for open source
lookalike domain monitoring, check out [DomainAware](https://github.com/seanthegeek/domainaware).
## DMARC Alignment Guide
DMARC ensures that SPF and DKM authentication mechanisms actually authenticate
against the same domain that the end user sees.
A message passes a DMARC check by passing DKIM or SPF, **as long as the related
indicators are also in alignment**.
```{eval-rst}
+-----------------------+-----------------------+-----------------------+
| | **DKIM** | **SPF** |
+-----------------------+-----------------------+-----------------------+
| **Passing** | The signature in the | The mail server's IP |
| | DKIM header is | address is listed in |
| | validated using a | the SPF record of the |
| | public key that is | domain in the SMTP |
| | published as a DNS | envelope's mail from |
| | record of the domain | header |
| | name specified in the | |
| | signature | |
+-----------------------+-----------------------+-----------------------+
| **Alignment** | The signing domain | The domain in the |
| | aligns with the | SMTP envelope's mail |
| | domain in the | from header aligns |
| | message's from header | with the domain in |
| | | the message's from |
| | | header |
+-----------------------+-----------------------+-----------------------+
```
## What if a sender won't support DKIM/DMARC?
1. Some vendors don't know about DMARC yet; ask about SPF and DKIM/email
authentication.
2. Check if they can send through your email relays instead of theirs.
3. Do they really need to spoof your domain? Why not use the display
name instead?
4. Worst case, have that vendor send email as a specific subdomain of
your domain (e.g. `noreply@news.example.com`), and then create
separate SPF and DMARC records on `news.example.com`, and set
`p=none` in that DMARC record.
:::{warning}
Do not alter the `p` or `sp` values of the DMARC record on the
Top-Level Domain (TLD) that would leave you vulnerable to
spoofing of your TLD and/or any subdomain.
:::
```{include} mailing-lists.md
```
Reference in New Issue View Git Blame Copy Permalink