DNS manipulation for SPF and DMARC
Anton Shestakov
av6 at dwimlabs.net
Thu Oct 12 17:05:36 UTC 2017
On Thu, 12 Oct 2017 11:03:01 -0400
Augie Fackler <raf at durin42.com> wrote:
> I've done some sniffing around, and it looks like we could at least start figuring out *why* we're getting on this spamhaus list if we would enable DMARC in notify-only mode, and it would definitely help our IP reputation to have an SPF record. So I think we should configure the following DNS entries:
>
>
> # We could probably also put "a mx" in here to allow the A and MX
> # records for mercurial-scm.org to transact mail.
> mercurial-scm.org. IN TXT "v=spf1 ip4:192.81.134.36 ip6:2600:3c01::f03c:91ff:fedb:76b6/64 ~all"
If you decide to put "a mx" here (it definitely makes sense doing that),
you won't need to hardcode the IP addresses. That way whatever's
checking SPF on the other end will resolve A and AAAA for
"mercurial-scm.org" and its configured MX hosts in the process of
validating.
...except without the /64 in ipv6 field, but are you sure you're using
multiple IPv6 addresses from that subnet on the server for email?
Addresses that don't resolve back to mercurial-scm.org (try with `dig
-x`) will suffer penalties when trying to deliver mail. So it may be
better to make sure everything uses only one IPv6 address, one that
resolves to mercurial-scm.org. It will also simplify this SPF record
down to "v=spf1 a mx ~all".
If DMARC reports reveal that people pretend to be m-s.o to send spam,
it will help somewhat to change from SoftFail ("~all") to Fail ("-all").
> # rua = "aggregate data reporting address"
> # ruf = "forensic data reporting address"
> # fo = "failure option" -> 1 means "report for any failure"
> # By default this applies to 100% of mail.
> _dmarc.mercurial-scm.org. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc at mercurial-scm.org; ruf=mailto:dmarc at mercurial-scm.org; fo=1"
I'd like to link this FAQ entry from dmarc.org about "ruf":
https://dmarc.org/wiki/FAQ#Do_I_want_to_receive_Failure_Reports_.28ruf.3D.29.3F
It says "[make] sure you are ready to receive a LOT of messages".
Also, not sure how verbose the forensic format is, but some incoming
mail may look a lot like spam, dmarc at m-s.o will probably need to accept
that?
More information about the Mercurial-devel
mailing list