Understanding DMARC
Resources
DMARC guides
Demystifying DMARC - A complete guide to SPF, DKIM, and DMARC
SPF and DMARC record validation
If you are looking for SPF and DMARC record validation and parsing, check out the sister project, checkdmarc.
Lookalike domains
DMARC protects against domain spoofing, not lookalike domains. for open source lookalike domain monitoring, check out DomainAware.
DMARC Alignment Guide
DMARC ensures that SPF and DKM authentication mechanisms actually authenticate against the same domain that the end user sees.
A message passes a DMARC check by passing DKIM or SPF, as long as the related indicators are also in alignment.
DKIM |
SPF |
|
Passing |
The signature in the DKIM header is validated using a public key that is published as a DNS record of the domain name specified in the signature |
The mail server’s IP address is listed in the SPF record of the domain in the SMTP envelope’s mail from header |
Alignment |
The signing domain aligns with the domain in the message’s from header |
The domain in the SMTP envelope’s mail from header aligns with the domain in the message’s from header |
What if a sender won’t support DKIM/DMARC?
Some vendors don’t know about DMARC yet; ask about SPF and DKIM/email authentication.
Check if they can send through your email relays instead of theirs.
Do they really need to spoof your domain? Why not use the display name instead?
Worst case, have that vendor send email as a specific subdomain of your domain (e.g.
noreply@news.example.com), and then create separate SPF and DMARC records onnews.example.com, and setp=nonein that DMARC record.
Warning
Do not alter the p or sp values of the DMARC record on the
Top-Level Domain (TLD) – that would leave you vulnerable to
spoofing of your TLD and/or any subdomain.
What about mailing lists?
When you deploy DMARC on your domain, you might find that messages relayed by mailing lists are failing DMARC, most likely because the mailing list is spoofing your from address, and modifying the subject, footer, or other part of the message, thereby breaking the DKIM signature.
Mailing list best practices
Ideally, a mailing list should forward messages without altering the headers or body content at all. Joe Nelson does a fantastic job of explaining exactly what mailing lists should and shouldn’t do to be fully DMARC compliant. Rather than repeat his fine work, here’s a summary:
Do
Retain headers from the original message
Add RFC 2369 List-Unsubscribe headers to outgoing messages, instead of adding unsubscribe links to the body
List-Unsubscribe: https://list.example.com/unsubscribe-link
Add RFC 2919 List-Id headers instead of modifying the subject
List-Id: Example Mailing List <list.example.com>
Modern mail clients and webmail services generate unsubscribe buttons based on these headers.
Do not
Remove or modify any existing headers from the original message, including From, Date, Subject, etc.
Add to or remove content from the message body, including traditional disclaimers and unsubscribe footers
In addition to complying with DMARC, this configuration ensures that Reply and Reply All actions work like they would with any email message. Reply replies to the message sender, and Reply All replies to the sender and the list.
Even without a subject prefix or body footer, mailing list users can still tell that a message came from the mailing list, because the message was sent to the mailing list post address, and not their email address.
Configuration steps for common mailing list platforms are listed below.
Mailman 2
Navigate to General Settings, and configure the settings below
Setting |
Value |
subject_prefix |
|
from_is_list |
No |
first_strip_reply_to |
No |
reply_goes_to_list |
Poster |
include_rfc2369_headers |
Yes |
include_list_post_header |
Yes |
include_sender_header |
No |
Navigate to Non-digest options, and configure the settings below
Setting |
Value |
msg_header |
|
msg_footer |
|
scrub_nondigest |
No |
Navigate to Privacy Options> Sending Filters, and configure the settings below
Setting |
Value |
dmarc_moderation_action |
Accept |
dmarc_quarantine_moderation_action |
Yes |
dmarc_none_moderation_action |
Yes |
Mailman 3
Navigate to Settings> List Identity
Make Subject prefix blank.
Navigate to Settings> Alter Messages
Configure the settings below
Setting |
Value |
Convert html to plaintext |
No |
Include RFC2369 headers |
Yes |
Include the list post header |
Yes |
Explicit reply-to address |
|
First strip replyto |
No |
Reply goes to list |
No munging |
Navigate to Settings> DMARC Mitigation
Configure the settings below
Setting |
Value |
DMARC mitigation action |
No DMARC mitigations |
DMARC mitigate unconditionally |
No |
Create a blank footer template for your mailing list to remove the message footer. Unfortunately, the Postorius mailing list admin UI will not allow you to create an empty template, so you’ll have to create one using the system’s command line instead, for example:
touch var/templates/lists/list.example.com/en/list:member:regular:footer
Where list.example.com the list ID, and en is the language.
Then restart mailman core.
LISTSERV
LISTSERV 16.0-2017a and higher will rewrite the From header for domains that enforce with a DMARC quarantine or reject policy.
Some additional steps are needed for Linux hosts.
Workarounds
If a mailing list must go against best practices and modify the message (e.g. to add a required legal footer), the mailing list administrator must configure the list to replace the From address of the message (also known as munging) with the address of the mailing list, so they no longer spoof email addresses with domains protected by DMARC.
Configuration steps for common mailing list platforms are listed below.
Mailman 2
Navigate to Privacy Options> Sending Filters, and configure the settings below
Setting |
Value |
dmarc_moderation_action |
Munge From |
dmarc_quarantine_moderation_action |
Yes |
dmarc_none_moderation_action |
Yes |
Note
Message wrapping could be used as the DMARC mitigation action instead. In that case, the original message is added as an attachment to the mailing list message, but that could interfere with inbox searching, or mobile clients.
On the other hand, replacing the From address might cause users to accidentally reply to the entire list, when they only intended to reply to the original sender.
Choose the option that best fits your community.
Mailman 3
In the DMARC Mitigations tab of the Settings page, configure the settings below
Setting |
Value |
DMARC mitigation action |
Replace From: with list address |
DMARC mitigate unconditionally |
No |
Note
Message wrapping could be used as the DMARC mitigation action instead. In that case, the original message is added as an attachment to the mailing list message, but that could interfere with inbox searching, or mobile clients.
On the other hand, replacing the From address might cause users to accidentally reply to the entire list, when they only intended to reply to the original sender.