![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2018-06-05
介紹
DMARC (Domain-based Message Authentication Reporting and Conformance)
Provide authentication reporting (每天由收信方發來一個 email report)
Apply sender policies at the receiving end (sender 設定的, receiver 查核)
In order to get started with DMARC, the sending domain needs to have an SPF OR DKIM record published.
Either pass both SPF Authentication and Alignment tests or pass both DKIM Authentication and Alignment tests
Alignment tests
Alignment tests(SPF) = Return-Path must match the domain found in the FROM address
Alignment tests(DKIM) = Signature must cover the From field.(d=)
Alignment may be specified as strict(Domain must be identical) or relaxed(top-level "domain" must match).
Gmail, Yahoo, Hotmail 已經在使用
Checking Flow:
Mail -> Public IP Base spam filter(RBL) -> SPF -> DKIM -> DMARC
Domain
DNS TXT Record
_dmarc.<您的網域>
Example
# The receiver outright rejects all non-aligned messages and
# sends a report about the rejections to a specific email address.
# Default pct 100%
_dmarc IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:postmaster@your_domain.com" P.S.
# 沒有 report
_dmarc IN TXT "v=DMARC1; p=reject;"# none - Take no action. Only log the affected messages in the daily report.
"v=DMARC1; p=none; rua=mailto:postmaster@your_domain.com"設定的說明
v required Protocol Version v=DMARC1 p required Policy for organizational domain p=quarantine pct optional % of message subjected to filtering pct=100 # Default sp optional Policy for subdomains of the OD adkim optional Alignment mode for DKIM adkim=r|s aspf optional Alignment mode for spf aspf=r|s rua optional Reporting UTI of aggregate report rua=mailto:[email protected] ruf optional Reporting URI for forensic reports
p (原則)
- none 假如信件沒法通過 SPF & DKIM 檢查也讓它通過
- quarantine 假如信件沒法通過 SPF & DKIM 檢查, 把它隔離(放到垃圾信匣)
- reject 假如信件沒法通過 SPF & DKIM 檢查, 把它拒絕(直接丟棄或拒連)
adkim / aspf
There are two possible values being presented, relaxed “r” or strict “s”.
Relaxed allows for partial matches such as subdomains while strict requires an exact match.
rua/ ruf mailto
The daily reports are sent in XML format.
They provide feedback informing you of the sending source IP addresses that have been sending out on your domain’s behalf.
This helps in determining which sources are valid or not.
As a result, this assists in more effective deployment of your SPF and DKIM records.
Deployment
When you are ready to complete the DMARC deployment,
remove the percentages from your policies so that the full action of “quarantine” and “reject” is now functioning at 100%.
Sub-Domain
A second lookup is made (assuming no record was found on the first lookup)
First Lookup: _dmarc.xyz.example.com
Second Lookup: _dmarc.example.com (Organizational Domain)
rua/ ruf DMARC External Validation
# External Domains in your DMARC are not giving permission for your reports to be sent to them.
one of the "rua" or "ruf" email addresses in your report does not have a DNS TXT record verifying that they wish to receive DMARC reports for your domain.
Checker
https://domain-checker.valimail.com/
https://stopemailfraud.proofpoint.com/dmarc/
