develooper Front page | perl.qpsmtpd | Postings from April 2013

plugin announcement: DMARC

Matt Simerson
April 26, 2013 08:39
plugin announcement: DMARC
Message ID:

       Domain-based Message Authentication, Reporting and Conformance

       DMARC: an extremely reliable means to authenticate email.

       From the DMARC Draft: "DMARC operates as a policy layer atop DKIM and
       SPF. These technologies are the building blocks of DMARC as each is
       widely deployed, supported by mature tools, and is readily available to
       both senders and receivers. They are complementary, as each is
       resilient to many of the failure modes of the other."

       DMARC provides a way to exchange authentication information and
       policies among mail servers.

       DMARC benefits domain owners by preventing others from impersonating
       them. A domain owner can reliably tell other mail servers that "if it
       doesn't originate from this list of servers (SPF) and it is not signed
       (DKIM), then reject it!" DMARC also provides domain owners with a means
       to receive feedback and determine that their policies are working as

       DMARC benefits mail server operators by providing them with an
       extremely reliable (as opposed to DKIM or SPF, which both have
       reliability issues when used independently) means to block forged
       emails. Is that message really from PayPal, Chase, Gmail, or Facebook?
       Since those organizations, and many more, publish DMARC policies,
       operators have a definitive means to know.

Instructions on how to use the plugin, how to deploy DMARC to protect ones own domains, and more is included as POD in the plugin.

Available in the qpsmtpd-dev repo:

As contrasted to most qpsmtpd plugins, DMARC provides an extremely reliable basis for message rejection. Better still, it's based on the published policies of the domain the message purports to be from (in the From: header), making it complementary to SPF, which checks the Envelope FROM sender.  

If you find that SpamAssassin isn't catching all the forged emails that the Win bots are sending, this plugin will do the trick. It'll also stop all the forged [a-z]{6} spams those senders haven't made it onto a DNSBL yet.  The largest *legitimate* email senders have deployed DMARC records.  And now I have too. :-)

Matt Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About