Marc,
Strictly speaking, you don't need the SPF record; however, I strongly
recommend you publish a "permit none" SPF record as many corporate gateways
that don't support DMARC (or don't have validation enabled) will still
block fraudulent messages based on an SPF record.
v=spf1 -all
Best Regards,
John
On Fri, Aug 25, 2017 at 12:20 PM, Marko Nix via dmarc-discuss <
dmarc-discuss@dmarc.org> wrote:
> Hi Marc,
>
> your idea is right in my opinion.
>
> You do need a valid SPF (but may be a „-all“ thats your choice, because
> you don’t send for that domain mails) record. But no DKIM, because you
> don’t send emails.
>
> But enough of talking, i think an example helps more:
>
> Domain 1 (master)
> _dmarc IN TXT ("v=DMARC1; p=quarantine;
> sp=reject; fo=1; aspf=r; adkim=s;"
> "rua=mailto:dmarc@tech-nicks.
> de <dm...@tech-nicks.de>; ruf=mailto:dm...@tech-nicks.de
> <dm...@tech-nicks.de>;")
>
> Domain 2 (no real use)
> @ IN TXT "v=spf1 -all"
> _dmarc IN TXT ("v=DMARC1; p=reject;
> sp=reject; fo=1; aspf=s; adkim=s;"
> "rua=
> mailto:dm...@tech-nicks.de <dm...@tech-nicks.de>; ruf=
> mailto:dm...@tech-nicks.de <dm...@tech-nicks.de>;“)
>
> But you have to allow other domains receiving reports. For me it is an
> other domain i own.
>
> Domain 3 (where the reports go)
> (its own dmarc record - left out because does not matter here)
> tierheilpraxis-nix.de._report._dmarc IN TXT "v=DMARC1"
> thp-nix.de._report._dmarc IN TXT "v=DMARC1“
>
> So its that what you have written I think. Do not waste time on DKIM - you
> don’t send, you don’t need it.
>
> Hope it helps.
>
> Kind regards,
> Marko
>
> Am 25.08.2017 um 19:22 schrieb Marc Luescher via dmarc-discuss <
> dmarc-discuss@dmarc.org>:
>
> Hi there,
>
> we are setting up a lot of vanity domains to make sure they can not be
> used for abuse.
>
> main domain fresenius.com
> vanity 1 fressenius.com etc
>
> My idea was to just to create a DMARC record like :
>
> v=DMARC1; p=reject; rua=mailto:71676...@mxtoolbox.dmarc-report.com
> <71676...@mxtoolbox.dmarc-report.com>,mailto:92ef88808ad6806@rep.
> dmarcanalyzer.com,mailto:yjgni...@ag.dmarcian.com;ruf=
> mailto:92ef88808ad6...@for.dmarcanalyzer.com,mailto:
> yjgni...@ag.dmarcian.com
> <92ef88808ad6...@rep.dmarcanalyzer.com,mailto:yjgni...@ag.dmarcian.com;ruf=mailto:92ef88808ad6...@for.dmarcanalyzer.com,mailto:yjgni...@ag.dmarcian.com>;
> sp=reject; fo=1;
>
> for all newly registered vanity domians and to authorize it in the master
> domain. Would this be best practice or do we need for every vanity domain
> also a valid SPF and/or DKIM record to be fully compliant. I did not find
> any guideline how to do this.
>
> Thank you
>
> Marc
> _______________________________________________
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
>
>
> _______________________________________________
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
_______________________________________________
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
