Dmarc

Discussion in 'Developers' Forum' started by florian030, Dec 2, 2014.

  1. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    1. I think we should add a DMARC record only, when an spf-records exists and dkim is enabled for the mail-domain. This breaks the draft (see draft 5.6.2) but makes much more sense:
    A DMARC check pass if the auth-check for spf or dkim is ok. This means, that a DMARC check is valid without DKIM as long as the SPF-Record matches. This leads to an useless DMARC-Record as a spf-check could be done without DMARC. When the receiver does not validate DKIM-signatures, the mail could also have an invalid DKIM-Key and the mail passes the DMARC check.
    2. DMARC allows reports for rua and ruf to external addresses.
    Code:
    v=DMARC1; p=none; rua=mailto:dmarc@[B]external.com[/B]
    is valid for example.com.
    If a remote address is used, a record in the remote-zone is reuqiered
    Code:
    example.com._report._dmarc.external.com v=DMARC1
    As long as the remote-zone is managed with ISPConfig, i can easily insert a record in the remote-zone (by ignoring permissions and limits) or check for an existing record with a sql-query.
    If the remote-zone is not managed with ISPConfig, i can use dig to check for a record but there is currently no way to add the record.

    Should the corresponding record add to a remote-zone managed by ISPConfig?
    Should a DMARC-record fail with a remote-address if now record is in the remote-zone?
    Should we just disallow remote-addresses?
     

Share This Page