NAME
Domain-based Message Authentication, Reporting and Conformance
SYNOPSIS
DMARC: an extremely reliable means to authenticate email.
DESCRIPTION
From the DMARC Draft: "DMARC operates as a policy layer atop DKIM and
SPF. These technologies are the building blocks of DMARC as each is
widely deployed, supported by mature tools, and is readily available to
both senders and receivers. They are complementary, as each is
resilient to many of the failure modes of the other."
DMARC provides a way to exchange authentication information and
policies among mail servers.
DMARC benefits domain owners by preventing others from impersonating
them. A domain owner can reliably tell other mail servers that "if it
doesn't originate from this list of servers (SPF) and it is not signed
(DKIM), then reject it!" DMARC also provides domain owners with a means
to receive feedback and determine that their policies are working as
desired.
DMARC benefits mail server operators by providing them with an
extremely reliable (as opposed to DKIM or SPF, which both have
reliability issues when used independently) means to block forged
emails. Is that message really from PayPal, Chase, Gmail, or Facebook?
Since those organizations, and many more, publish DMARC policies,
operators have a definitive means to know.
Instructions on how to use the plugin, how to deploy DMARC to protect ones own domains, and more is included as POD in the plugin.
Available in the qpsmtpd-dev repo:
https://github.com/qpsmtpd-dev/qpsmtpd-dev/blob/master/plugins/dmarc
As contrasted to most qpsmtpd plugins, DMARC provides an extremely reliable basis for message rejection. Better still, it's based on the published policies of the domain the message purports to be from (in the From: header), making it complementary to SPF, which checks the Envelope FROM sender.
If you find that SpamAssassin isn't catching all the forged @google.com emails that the Win bots are sending, this plugin will do the trick. It'll also stop all the forged [a-z]{6}@yahoo.com spams those senders haven't made it onto a DNSBL yet. The largest *legitimate* email senders have deployed DMARC records. And now I have too. :-)
Matt