DMARC usage opinion

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

DMARC usage opinion

Roberto Carna
Dear, I have a Postfix server and I have SPF and DKIM TXT records in my DNS. Everything works OK.

But now I want to implement DMARC, but somebody tells me not to do it because I'd have some problems and I'll have to use a whitelist for several emai addresses, and it's a heavy additional work.

Please can you tell me your opinion about DMARC usage ??? 

Thanks a lot.
Reply | Threaded
Open this post in threaded view
|

Re: DMARC usage opinion

Viktor Dukhovni
> On Dec 17, 2019, at 8:14 AM, Roberto Carna <[hidden email]> wrote:
>
> Dear, I have a Postfix server and I have SPF and DKIM TXT records in my DNS. Everything works OK.
>
> But now I want to implement DMARC, but somebody tells me not to do it because I'd have some problems and I'll have to use a whitelist for several emai addresses, and it's a heavy additional work.
>
> Please can you tell me your opinion about DMARC usage ???

DMARC policy is best avoided unless you're a bank, or other brand
that is concerned about phishing of your customers.  For personal
domains, the risk of someone being defrauded by impersonating you
seems to small to warrant risk of breaking forwarding (e.g. via
mailing lists) mail you've authored.

Some best-practice check lists will give you a lower "score" if
you don't have a strict DMARC policy, but I ignore these.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: DMARC usage opinion

@lbutlr
In reply to this post by Roberto Carna
On 17 Dec 2019, at 06:14, Roberto Carna <[hidden email]> wrote:
> I have a Postfix server and I have SPF and DKIM TXT records in my DNS. Everything works OK.

Good. You might look into DNSSEC as well if you haven’;t done that. The setup is a bit tricky butane it’s setup it just works.

> But now I want to implement DMARC

The unanswered question here is why do you want to do this? If you have a good reason, then fine, do it. If you just kind of want to do it because it seems like a thing to do, don’t.

(Been there, done that, had the patty melt)

Reply | Threaded
Open this post in threaded view
|

Re: DMARC usage opinion

Chris Wedgwood
In reply to this post by Viktor Dukhovni
> DMARC policy is best avoided unless you're a bank, or other brand
> that is concerned about phishing of your customers.

or have a domain that spammers use as the from/reply-to address
Reply | Threaded
Open this post in threaded view
|

Re: DMARC usage opinion

Dave Goodrich
In reply to this post by Roberto Carna
----- On Dec 17, 2019, at 8:14 AM, Roberto Carna <[hidden email]> wrote:
Dear, I have a Postfix server and I have SPF and DKIM TXT records in my DNS. Everything works OK.
But now I want to implement DMARC, but somebody tells me not to do it because I'd have some problems and I'll have to use a whitelist for several emai addresses, and it's a heavy additional work.

Please can you tell me your opinion about DMARC usage ??? 

Thanks a lot.

I implemented DMARC recently because of problems with City officials emails being used for fraud. I get the reports, I know that people in other countries are using our email addresses, I have not the faintest idea what I can do about it. I am having trouble understanding the purpose of the reports I receive, I can't do anything with the information.

And this digresses into a DMARC discussion, not a Postfix discussion.

DAve

Reply | Threaded
Open this post in threaded view
|

Re: DMARC usage opinion

Alejandro Cabrera Obed-2
In reply to this post by Chris Wedgwood
Thanks to all of you.....I'll try DMARC with p=none some days and in this way I can analyze the behaviour of this mechanism.

Regards !!!

El mar., 17 dic. 2019 a las 14:11, Chris Wedgwood (<[hidden email]>) escribió:
> DMARC policy is best avoided unless you're a bank, or other brand
> that is concerned about phishing of your customers.

or have a domain that spammers use as the from/reply-to address


--
 //  Alejandro   //



Reply | Threaded
Open this post in threaded view
|

Re: DMARC usage opinion

Dominic Raferd
In reply to this post by Dave Goodrich
On Tue, 17 Dec 2019 at 17:35, Dave Goodrich <[hidden email]> wrote:

>
> ----- On Dec 17, 2019, at 8:14 AM, Roberto Carna <[hidden email]> wrote:
>
> Dear, I have a Postfix server and I have SPF and DKIM TXT records in my DNS. Everything works OK.
> But now I want to implement DMARC, but somebody tells me not to do it because I'd have some problems and I'll have to use a whitelist for several emai addresses, and it's a heavy additional work.
>
> Please can you tell me your opinion about DMARC usage ???
>
> Thanks a lot.
>
>
> I implemented DMARC recently because of problems with City officials emails being used for fraud. I get the reports, I know that people in other countries are using our email addresses, I have not the faintest idea what I can do about it. I am having trouble understanding the purpose of the reports I receive, I can't do anything with the information.
>

This is exactly what DMARC (p=reject) helps with. The reports tell you
about fake emails that were identified and blocked (and also help you
identify if your systems are correctly set up for genuine emails to
pass). If you are receiving the raw reports and don't understand them,
try using something like Postmark.
Reply | Threaded
Open this post in threaded view
|

Re: DMARC usage opinion

Dave Goodrich


----- On Dec 17, 2019, at 12:40 PM, Dominic Raferd [hidden email] wrote:

> On Tue, 17 Dec 2019 at 17:35, Dave Goodrich <[hidden email]> wrote:
>>
>> ----- On Dec 17, 2019, at 8:14 AM, Roberto Carna <[hidden email]>
>> wrote:
>>
>> Dear, I have a Postfix server and I have SPF and DKIM TXT records in my DNS.
>> Everything works OK.
>> But now I want to implement DMARC, but somebody tells me not to do it because
>> I'd have some problems and I'll have to use a whitelist for several emai
>> addresses, and it's a heavy additional work.
>>
>> Please can you tell me your opinion about DMARC usage ???
>>
>> Thanks a lot.
>>
>>
>> I implemented DMARC recently because of problems with City officials emails
>> being used for fraud. I get the reports, I know that people in other countries
>> are using our email addresses, I have not the faintest idea what I can do about
>> it. I am having trouble understanding the purpose of the reports I receive, I
>> can't do anything with the information.
>>
>
> This is exactly what DMARC (p=reject) helps with. The reports tell you
> about fake emails that were identified and blocked (and also help you
> identify if your systems are correctly set up for genuine emails to
> pass). If you are receiving the raw reports and don't understand them,
> try using something like Postmark.

I understand the reports fine, but I can't force another server to use my policy. With reports I know who is using my policies, but I know nothing of where the fraud emails are being delivered instead of rejected.

DAve
Reply | Threaded
Open this post in threaded view
|

Re: DMARC usage opinion

Ralph Seichter-2
In reply to this post by Dominic Raferd
* Dominic Raferd:

> This is exactly what DMARC (p=reject) helps with.

I'm pretty sure you meant to say p=none there, didn't you?

-Ralph
Reply | Threaded
Open this post in threaded view
|

Re: DMARC usage opinion

Ralph Seichter-2
In reply to this post by Dave Goodrich
* Dave Goodrich:

> I can't force another server to use my policy.

True, you cannot enforce your DMARC policies. Then again, you are also
unable to force third parties to pay attention to your SPF or DKIM
settings. The decision about how to process your messages will always
lie with the recipient.

One might be tempted to decide that DMARC et all are not worth the
effort for a personal mail server, but not implementing DMARC means not
being able to send mail to Google-operated servers. :-/

-Ralph
Reply | Threaded
Open this post in threaded view
|

Re: DMARC usage opinion

Gregory Heytings

Hi,

I'd second Viktor Dukhovni's opinion.  For the vast majority of mail
servers, a minimalistic DMARC policy suffices, just add the following
record in the domain's DNS root zone:

_dmarc 10800 IN TXT "v=DMARC1; p=none;"

If you want to go a step further, you can just monitor how DMARC is
applied by receiving mail servers to mails that (pretend to) come from
your domain.  Just add a "rua" ("reporting aggregate reports") entry:

_dmarc 10800 IN TXT "v=DMARC1; p=none; rua=mailto:[hidden email]"

You'll then start receiving a daily report from the mail servers that
implement DMARC reporting *and* that received at least one mail coming
from (or pretending to come from) your domain.  In most cases you'll only
receive reports from Google and Yahoo.  These reports are XML files, which
are difficult to read, so you should find a tool that helps you to make
sense of them.

The possible next steps are to use "p=quarantine", which basically means
"deliver the mail but flag it as spam", and "p=reject", which means what
it means: do not accept the email.  But as Viktor said these policies are
not recommended for a domain which does not handle sensitive information
(bank, government, hospital, ...).

Gregory
Reply | Threaded
Open this post in threaded view
|

Re: DMARC usage opinion

Roberto Carna
Perfect!!!

Now I understand and I'll to start DMARC implementation with p=none to see what happen.

Regards !!!

El mié., 18 dic. 2019 a las 7:22, Gregory Heytings (<[hidden email]>) escribió:

Hi,

I'd second Viktor Dukhovni's opinion.  For the vast majority of mail
servers, a minimalistic DMARC policy suffices, just add the following
record in the domain's DNS root zone:

_dmarc 10800 IN TXT "v=DMARC1; p=none;"

If you want to go a step further, you can just monitor how DMARC is
applied by receiving mail servers to mails that (pretend to) come from
your domain.  Just add a "rua" ("reporting aggregate reports") entry:

_dmarc 10800 IN TXT "v=DMARC1; p=none; rua=mailto:[hidden email]"

You'll then start receiving a daily report from the mail servers that
implement DMARC reporting *and* that received at least one mail coming
from (or pretending to come from) your domain.  In most cases you'll only
receive reports from Google and Yahoo.  These reports are XML files, which
are difficult to read, so you should find a tool that helps you to make
sense of them.

The possible next steps are to use "p=quarantine", which basically means
"deliver the mail but flag it as spam", and "p=reject", which means what
it means: do not accept the email.  But as Viktor said these policies are
not recommended for a domain which does not handle sensitive information
(bank, government, hospital, ...).

Gregory