Skip to main content

DMARC

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that provides a mechanism for email receivers to determine if incoming messages are legitimate and were sent from authorized sources. It allows a sender's domain to publish a policy that specifies how email receivers should handle messages that fail SPF and/or DKIM authentication checks. The DMARC policy is stored in a specially-formatted TXT record in the domain's DNS records, and email receivers can use this information to decide whether to accept, reject, or flag an incoming message based on the results of SPF and DKIM checks. DMARC also provides a reporting mechanism that enables the sender to receive feedback on how their messages are being handled by email receivers. This feedback can be used to improve the accuracy and effectiveness of SPF and DKIM configurations, as well as monitor for potential abuse of the sender's domain.

Verification

Stalwart supports the following DMARC verification policies which are configured with the auth.dmarc.verify attribute:

  • relaxed: Verify DMARC and report the results in the Authentication-Results header.
  • strict: Reject the message if DMARC fails verification, otherwise report the results in the Authentication-Results header.
  • disable: Do not perform DMARC verification.

Example:

[auth.dmarc]
verify = [ { if = "listener = 'smtp'", then = "relaxed" },
           { else = "disable" } ]

Reporting

Stalwart automatically analyzes received DMARC failure and aggregate reports from external hosts and can also generate its own DMARC reports to inform other hosts about the authentication outcomes of the DKIM signatures and SPF policies it has processed.

The report submitter address can be configured using the report.submitter attribute. If not specified, the config_get('server.hostname') expression is be used.

For example:

[report]
submitter = "'mx.example.org'"

Failures

DMARC authentication failure reporting is a mechanism for receiving feedback about email messages that fail DMARC evaluation. It allows the owners of a domain to receive reports from mail receivers about messages claiming to be from their domain that are not aligned with their DMARC policy. These reports contain information about the message, including the envelope sender address, the header from address, and the IP address of the sending server, as well as the DMARC evaluation results. By analyzing these reports, domain owners can identify potential misuses of their domain, such as spam or phishing campaigns, and take action to protect their domain's reputation.

Outgoing DMARC failure reports are configured under the report.dmarc key using the following options:

  • from-name: The name that will be used in the From header of the DMARC report email.
  • from-address: The email address that will be used in the From header of the DMARC report email. The default value is the expression 'noreply-dmarc@' + config_get('report.domain').
  • subject: The subject name that will be used in the DMARC report email.
  • send: The rate at which DMARC reports will be sent to a given email address. When this rate is exceeded, no further DMARC failure reports will be sent to that address. Set to false to disable DMARC authentication failure reporting.
  • sign: The list of DKIM signatures to use when signing the DMARC report.

Example:

[report.dmarc]
from-name = "'Report Subsystem'"
from-address = "'[email protected]'"
subject = "'DMARC Authentication Failure Report'"
send = "1/1d"
sign = ["rsa"]

Aggregate

DMARC aggregate reporting allows organizations to receive reports on messages that pass or fail DMARC evaluation, by sending the reports to a specified email address. The reports are generated by receiving mail servers and contain information about messages sent from the domain, including the sending IP address, the results of SPF and DKIM authentication, and the disposition of the message (pass, fail, or quarantine). The aggregate reports provide valuable insights into the email security posture of a domain, allowing domain owners to monitor the use of their domain for email and take necessary actions to secure their email infrastructure. The reports are typically sent on a daily or weekly basis and are formatted in a machine-readable format, such as XML, to allow for easy analysis and processing.

Outgoing DMARC aggregate reports are configured under the report.dmarc.aggregate key using the following options:

  • from-name: The name that will be used in the From header of the DMARC aggregate report email.
  • from-address: The email address that will be used in the From header of the DMARC aggregate report email. The default value is the expression 'noreply-dmarc@' + config_get('report.domain').
  • org-name: The name of the organization to be included in the report.
  • send: The frequency at which the DMARC aggregate reports will be sent. The options are hourly, daily, weekly, or never to disable reporting.
  • max-size: The maximum size of the DMARC aggregate report in bytes.
  • sign: The list of DKIM signatures to use when signing the DMARC aggregate report.

Example:

[report.dmarc.aggregate]
from-name = "'DMARC Report'"
from-address = "'[email protected]'"
org-name = "'The example Organization'"
contact-info = "'[email protected]'"
send = "daily"
max-size = 26214400 # 25mb
sign = "['rsa']"