Posted by Steve on Mon 3 Aug 2015 at 19:35
When it comes to increasing deliverabiity of email, and preventing spoofed/forged emails the preferred solution these days is DMARC, which allows the use of SPF and DKIM to be enforced for domains in a unified manner.
We've already documented the process of signing outgoing emails with DKIM, and briefly introduced the use of SPF to document the hosts which are permitted to send email for a particular domain. Both of these techniques are useful, especially when combined.
But there is a flaw regarding the use of DKIM-signatures, which we've mentioned before:
In order to prevent this you need some way of saying "ALl our mail is signed with DKIM", such that a mail with a missing signature is treated just as harshly as a mail with an invalid signature, and DMARC is exactly how you achieve that.
DMARC allows you to specify how failures should be handled:
There are other abilities too, but the main reason for DMARC to exist is to publish how strongly/weakly you will be using SPF and/or DKIM.
As with the other systems DMARC-policies are published as TXT records, in DNS.
The basic record would look like this, and for the sending-domain example.com it would be stored in the TXT record named _dmarc.example.com:
"v=DMARC1; p=reject; adkim=s; aspf=s"
Much like SPF & DKIM the record is comprised of several components:
If you define a rua=-setting, such as email@example.com you'll receive a daily report from providers who honor it letting you see how many mails were received by them, and how they were handled. This domain receives a regular summary from gmail.com, hotmail.com, and similar sites. The summary is in XML-format and will look like this:
<row> <source_ip>126.96.36.199</source_ip> <count>2</count> <policy_evaluated> <disposition>none</disposition> <dkim>pass</dkim> <spf>pass</spf> </policy_evaluated> </row>
That report shows that two mails were received by Google, both from the same sending IP-address, and the mails each passed their SPF and DKIM testing.
To lookup the DMARC-record which might be present for a domain you merely need to use the dig command, or nslookup. As an example here is what the record looks like for this domain:
$ dig -t txt _dmarc.debian-administration.org +short "v=DMARC1\; p=reject\; rua=mailto:firstname.lastname@example.org\; fo=1\; adkim=s\; aspf=s"
As a final update it is worth noting that there are a few different more additional items you can add to yoru DMARC record, documented on the DMARC website, but the ones listed above are sufficient to define and publish a policy for your domain(s).