DMARC

最後更新: 2018-06-05

介紹

 

DMARC (Domain-based Message Authentication Reporting and Conformance)

Provide authentication reporting (每天由收信方發來一個 email report)

Apply sender policies at the receiving end (sender 自己設定的)

In order to get started with DMARC, the sending domain needs to have an SPF and DKIM record published.

Gmail, Yahoo, Hotmail 等

Checking Flow:

Mail -> Public IP Base spam filter(RBL) -> DKIM -> SPF

 


Domain

 

_dmarc.<您的網域>

 

Example

 

# In this scenario, the sender defines the policy as such that
# the receiver outright rejects all non-aligned messages and
# sends a report about the rejections to a specific email address.
# Default pct 100%

"v=DMARC1; p=reject; pct=100; rua=mailto:postmaster@your_domain.com" 

 

# none - Take no action. Only log the affected messages in the daily report.

"v=DMARC1; p=none; rua=mailto:postmaster@your_domain.com"

 

設定的說明

v     required    Protocol Version                      v=DMARC1
p     required    Protocol for Domain                   p=quarantine
rua   optional    Reporting UTIof aggregate report      rua=mailto:postmstr@domain.com
aspf  optional    Alignment mode for spf                aspf=r|s
pct   optional    % of message subjected to filtering   pct=20

aspf

There are two possible values being presented, relaxed “r” or strict “s”.

Relaxed allows for partial matches such as subdomains while strict requires an exact match.

none: 原則為無, 也就是假如信件沒法通過 SPF & DKIM 檢查也讓它通過

quarantine: 原則為隔離, 也就是假如信件沒法通過 SPF & DKIM 檢查, 把它隔離(放到垃圾信匣)

reject: 原則為拒絕, 也就是假如信件沒法通過 SPF & DKIM 檢查, 把它拒絕(直接丟棄或拒連)

mailto

The daily reports are sent in XML format.

They provide feedback informing you of the sending source IP addresses that have been sending out on your domain’s behalf. 

This helps in determining which sources are valid or not.

As a result, this assists in more effective deployment of your SPF and DKIM records.

deployment

When you are ready to complete the DMARC deployment,

remove the percentages from your policies so that the full action of “quarantine” and “reject” is now functioning at 100%.