<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<font face="monospace">Here are my notes. Hope they help. I test
from <a class="moz-txt-link-abbreviated" href="http://www.t-e-s-t.net">www.t-e-s-t.net</a>.<br>
<br>
</font>
<p>
<b>DMARC</b><br>
Domain-based Message Authentication Reporting & Conformance <br>
(DMARC) is an email security protocol. DMARC verifies email
senders by building <br>
on the Domain Name System (DNS), DomainKeys Identified Mail
(DKIM), and Sender <br>
Policy Framework (SPF) protocols.
</p>
<p>
DMARC requires DKIM and SPF to be in place on the domain email
server and a <br>
DMARC record to be published in the DNS. The DMARC policy process,
also known <br>
as DMARC domain alignment, enables the email domain policy to be
shared and <br>
authenticated after the DKIM and SPF status has been checked.
</p>
<p>
<b>DMARC Report Providers</b>
Send reports about all email that checked authentication into a
XML digest. <br>
The report aggregates the data for a certain time period. Much
better <br>
than sending individual reports for each event. Email providers
typically send <br>
the aggregated report once per day, although these policies could
differ from <br>
provider to provider. The report comes as a attachment and is in a
compressed <br>
file format. Normally .gz or a .zip. The uncompressed content is a
XML file.<br>
</p>
<p>
<b>What is a DMARC Record?</b><br>
A DMARC record is included within an organization <br>
or domain owner DNS database, and is a specific version of a DNS
text record <br>
(TXT records). The full DMARC record looks similar to this: <br>
'<b>v=DMARC1; p=none; rua=<a class="moz-txt-link-freetext" href="mailto:a@a.tld">mailto:a@a.tld</a>; ruf=<a class="moz-txt-link-freetext" href="mailto:f@f.tld">mailto:f@f.tld</a>;
pct=100</b>'.<br>
<br>
The various sections within the DMARC record signify: <br>
1. v=DMARC1: The DMARC version specified. <br>
2. p=none: The domain owner DMARC policy or preferred disposition
of any email <br>
messages.<br>
3. rua=<a class="moz-txt-link-freetext" href="mailto:a@a.tld">mailto:a@a.tld</a>: The email address to which aggregate
reports should be sent.<br>
4. ruf=<a class="moz-txt-link-freetext" href="mailto:mailto:f@f.tld">mailto:mailto:f@f.tld</a>: The email address <br>
to which forensic reports should be sent.<br>
5. pct=100: The percentage of email to be subjected to a DMARC
policy <br>
disposition.<br>
<br>
FYI: 100% of email that fail a DMARC test should be rejected by
the server.<br>
</p>
<p>
<b>DMARC Domain Alignment</b><br>
Domain alignment is a DMARC concept that matches the domain of an
email against <br>
SPF and DKIM. A DMARC record can have varied strictness of DKIM
alignment, which <br>
affects if messages will be allowed to pass through the DKIM
process. The <br>
alignment can either be relaxed, which matches base domains but
allows different <br>
sub.domains, or strict, which precisely matches the whole domain.<br>
<br>
The 2nd kind of DKIM test is alignment. In basic terms, a
alignment test <br>
verifies that the organizational domain matches (aligns) in
several areas. <br>
To achieve DKIM alignment, the header visible to the email
receiver <br>
must match the aforementioned d= domain in the DKIM header. By
default, this <br>
match looks for the primary domain to match between the two
domains, which <br>
means messages that contain a sub.domain should align.<br>
</p>
<p>
<b>What are DMARC p= Policies?</b> <br>
The policy a domain owner uses in the DMARC record tells the
receiving email <br>
server what it should do with email that fails DKIM and/or a SPF
check, but <br>
claims to be from the domain. There are three policies, which are
signified by <br>
'p= policies,' available are:<br>
<br>
None <br>
Signified by 'p=none,' this advises the receiving server to
perform no action <br>
when receiving a unqualified email. <br>
However, the server should send email reports to the rua= and/or
ruf= email <br>
address in the DMARC record.<br>
<br>
Quarantine <br>
Signified by 'p=quarantine,' this advises the receiving server to
quarantine <br>
any unqualified email. As a result, email will typically reach the
recipient <br>
SPAM folder.<br>
<br>
Reject<br>
Signified by 'p=reject,' this advises the <br>
receiver to deny unqualified email messages. It ensures only email
messages <br>
that are 100% verified as being from a domain will reach the
inbox. The email <br>
that fails the checks should be denied.<br>
</p>
<p>
<b>SPF Alignment</b><br>
Alignment is the 1st SPF test that consists of checking whether
the <br>
sending domain in multiple parts of the message headers match. To
achieve SPF <br>
alignment, the header visible to the email receiver must match the
<br>
domain used to authenticate SPF. The envelope 'mail from:' domain.
By <br>
default, this match looks for the primary domain to match between
the two <br>
domains. So a message that contain a sub.domain will align. As the
case with <br>
authentication.<br>
</p>
<p>
<b>SPF Authentication</b><br>
SPF can be evaluated via authentication and alignment. An outbound
email should <br>
pass SPF authentication when delivered from an IP address
published in the SPF <br>
policy for the domain found in the 'mail from' envelope.
Essentially, the IP <br>
address that sent the email must match an IP address published in
the SPF <br>
record domain.<br>
</p>
<p>
<b>Complying with DMARC through DKIM</b><br>
For an email to comply with DMARC based on DKIM, both of the
following <br>
conditions must be met: <br>
<br>
1. The message must have a valid DKIM signature. <br>
2. The From address in the email header must align with the domain
in the DKIM <br>
signature. If the domain's DMARC policy specifies strict
alignment for DKIM, <br>
these domains must match exactly. If the domain's DMARC policy
specifies <br>
relaxed alignment for DKIM, the domain can be a sub.domain of
the From domain.<br>
</p>
<p>
<b>Complying with DMARC through SPF</b><br>
For a email to comply with DMARC based on SPF, both of the
following conditions <br>
must be met: <br>
<br>
1. The email must pass an SPF check. <br>
2. The domain in the From address of the email header must align
with the <br>
MAIL FROM domain that the sending mail server specifies to the
receiving <br>
mail server. If the domain's DMARC policy for SPF specifies
strict alignment <br>
the From and MAIL FROM domains must match exactly. If the
domain DMARC <br>
policy for SPF specifies relaxed alignment, then MAIL FROM
domain can be a <br>
sub.domain of the domain in the From header.<br>
</p>
<p>
<b>TIPS & FYI:</b><br>
You can check your domain DMARC alignment for SPF by typing the
following <br>
command at the command line, replace example.com with your domain:
<br>
<b>nslookup -type=TXT _dmarc.example.com</b><br>
</p>
<p>
<b>Email Headers</b><br>
Return-Path: <a class="moz-txt-link-abbreviated" href="mailto:user@subhost.domain.tld">user@subhost.domain.tld</a> <==MAIL From <br>
From: <a class="moz-txt-link-abbreviated" href="mailto:user@subhost.domain.tld">user@subhost.domain.tld</a> <==ENVELOPE From <br>
Received: from subhost.domain.tld (subhost.domain.tld.
[252.252.252.252]) <br>
Reply-To: <a class="moz-txt-link-abbreviated" href="mailto:user@subhost.domain.tld">user@subhost.domain.tld</a> <br>
To: <a class="moz-txt-link-abbreviated" href="mailto:user@subhost.domain">user@subhost.domain</a>.<br>
</p>
<p>
pct= is an optional DMARC tag that takes a plain-text integer
between 0-100, <br>
inclusive. If this tag is not used, 100% of failed messages are
subject to the <br>
DMARC published policy for the domain.<br>
</p>
<p>
<b>Summation</b><br>
SPF and DKIM protocols are necessary to attain DMARC compliance.
Sub-components <br>
of the protocols, authentications, and alignments must pass all
respective tests <br>
for the outbound email setup to reach 100% DMARC compliance and
intended users.<br>
</p>
<p>
DMARC combines these two standards into a common framework. It
enables domain <br>
administrators to set rules on how to handle email from a domain
if it fails <br>
authentication.<br>
</p>
<p>
DMARC, DKIM, and SPF are all protocols relating to different areas
of email <br>
authentication. SPF enables senders to define the Internet
Protocol (IP) <br>
addresses that are allowed to send email from a domain. DKIM
verifies the email <br>
message using a digital signature and a encryption key, ensuring
the email <br>
message cannot be altered or spoofed in transit.<br>
</p>
SPF, DKIM, DMARC record requests the email server to send Extensible
Markup <br>
Language (XML) reports to the email address associated with the
records. A <br>
DMARC report provides information about how email moves through a
system and <br>
enables users to identify the email traffic that uses the email
domain.<br>
<font face="monospace"><br>
-- <br>
Best regards<br>
David Hahn <br>
_______________________________________________</font><br>
<br>
<div class="moz-cite-prefix">On 1/27/2024 5:26 AM, Richard Sidlin
via Blueonyx wrote:<br>
</div>
<blockquote type="cite"
cite="mid:968E0A66AA6231438BFF9489CB9318E4020E12C122@MK-2010HOSTED2.helpinternet2.it">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;
mso-fareast-language:EN-US;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Guys<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Staying on the subject of DKIM. I think I
set it up properly but when I do a test either on one of the
online checkers or looking at the Gmail headers, it states
FAIL.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">5210R. OpenDKIM is enabled and a couple of
DKIM aliases, hostname of default._domainkey, domain name of
the DNS TXT Record set and the TXT record that is:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">v=DKIM1; k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGZqcsl8kAZREYi+KatsmFL35XTGYZuAEO3baCGHSXFZ+DzpHs3SNtczldMFCZybgU/n+hlXQlE1Pca0wiiPkbYIxd813CRhh+URkuPLZcQGFeJK08v4OBS3j6SnjaYq/2evvbe4b8NuwqfSV8lzwcsFP39yJZVngi0em2fuD5VQIDAQAB<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">On a separate 5210R server that I use for
DNS, I added a TXT record:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Under Query: <o:p></o:p></p>
<p class="MsoNormal">default._domainkey . racesonline.uk<o:p></o:p></p>
<p class="MsoNormal">Type: <o:p></o:p></p>
<p class="MsoNormal">TXT<o:p></o:p></p>
<p class="MsoNormal">Response:<o:p></o:p></p>
<table class="MsoNormalTable"
style="width:541.6pt;background:white;border-collapse:collapse"
width="722" cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<td
style="width:183.0pt;background:#E6ECEF;padding:6.0pt 3.75pt 6.0pt 3.75pt"
width="244">
<p class="MsoNormal"><span style="color:black">v=DKIM1;
k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGZqcsl8kAZREYi+KatsmFL35XTGYZuAEO3baCGHSXFZ+DzpHs3SNtczldMFCZybgU/n+hlXQlE1Pca0wiiPkbYIxd813CRhh+URkuPLZcQGFeJK08v4OBS3j6SnjaYq/2evvbe4b8NuwqfSV8lzwcsFP39yJZVngi0em2fuD5VQIDAQAB</span><o:p></o:p></p>
</td>
<td
style="width:75.0pt;background:#E6ECEF;padding:6.0pt 3.75pt 6.0pt 3.75pt"
width="100">
<br>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><a
href="https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx?huid=2cd2b490-c533-4f46-9135-10335cf9ff51"
moz-do-not-send="true" class="moz-txt-link-freetext">https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx?huid=2cd2b490-c533-4f46-9135-10335cf9ff51</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Can anyone point me in the right direction
please?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Rich<o:p></o:p></p>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Blueonyx mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Blueonyx@mail.blueonyx.it">Blueonyx@mail.blueonyx.it</a>
<a class="moz-txt-link-freetext" href="http://mail.blueonyx.it/mailman/listinfo/blueonyx">http://mail.blueonyx.it/mailman/listinfo/blueonyx</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
---
TIA
David Hahn - PageKeeper Service
----</pre>
</body>
</html>