DMARC
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email-authentication protocol that provides a mechanism for receivers to determine whether incoming messages are legitimate and were sent from authorised sources. A sending domain publishes a DMARC policy as a DNS TXT record, specifying how receivers should handle messages that fail SPF or DKIM authentication. DMARC also defines a reporting mechanism that lets the sender receive feedback on how their messages are being handled, which can be used to tune SPF and DKIM configurations and monitor for abuse of the domain.
All outgoing DMARC reports (both failure and aggregate) are configured on the DmarcReportSettings singleton (found in the WebUI under Settings › MTA › Reports › DMARC).
Failure reports
DMARC authentication-failure reporting lets domain owners receive feedback about messages that fail DMARC evaluation. Reports include the envelope sender address, the header From address, and the IP address of the sending server, together with the DMARC evaluation results. Analysing these reports helps domain owners identify potential abuse of their domain and take corrective action.
Failure reports are configured by the following fields:
failureFromName: expression returning the name used in theFromheader of the report. Default'Report Subsystem'.failureFromAddress: expression returning the email address used in theFromheader. Default'noreply-dmarc@' + system('domain').failureSubject: expression returning the report subject. Default'DMARC Authentication Failure Report'.failureSendFrequency: expression returning the rate at which failure reports are sent to a given address. Default[1, 1d]. Returningfalsedisables failure reporting.failureDkimSignDomain: expression returning the domain whose DKIM signatures sign the outgoing report. Defaultsystem('domain').
Example:
{
"failureFromName": {"else": "'Report Subsystem'"},
"failureSubject": {"else": "'DMARC Authentication Failure Report'"},
"failureSendFrequency": {"else": "[1, 1d]"},
"failureDkimSignDomain": {"else": "'example.org'"}
}
Aggregate reports
DMARC aggregate reporting lets organisations receive reports on messages that pass or fail DMARC evaluation. Aggregate reports are generated by receiving mail servers and contain information about messages sent from the domain, including the sending IP address, SPF and DKIM authentication results, and the disposition of the message (pass, fail, or quarantine). They are typically sent daily or weekly in a machine-readable format (XML).
Aggregate reports are configured by the following fields:
aggregateFromName: expression returning the name used in theFromheader of the aggregate report. Default'Report Subsystem'.aggregateFromAddress: expression returning the email address used in theFromheader. Default'noreply-dmarc@' + system('domain').aggregateSubject: expression returning the report subject. Default'DMARC Aggregate Report'.aggregateOrgName: expression returning the organisation name included in the report. Defaultsystem('domain').aggregateContactInfo: optional expression returning contact information for the reporting organisation.aggregateSendFrequency: expression returning the frequency at which aggregate reports are sent. Supported values arehourly,daily,weekly, andnever. Defaultdaily.aggregateMaxReportSize: expression returning the maximum size of the aggregate report in bytes. Default 5242880 (5 MB).aggregateDkimSignDomain: expression returning the domain whose DKIM signatures sign the outgoing report. Defaultsystem('domain').
Example:
{
"aggregateFromName": {"else": "'DMARC Report'"},
"aggregateSubject": {"else": "'DMARC Aggregate Report'"},
"aggregateOrgName": {"else": "'The example Organization'"},
"aggregateSendFrequency": {"else": "daily"},
"aggregateMaxReportSize": {"else": "26214400"},
"aggregateDkimSignDomain": {"else": "'example.org'"}
}