plugin announcement: DMARC

Fri, 26 Apr 2013 01:39:17 -0700 

NAME
       Domain-based Message Authentication, Reporting and Conformance

SYNOPSIS
       DMARC: an extremely reliable means to authenticate email.

DESCRIPTION
       From the DMARC Draft: "DMARC operates as a policy layer atop DKIM and
       SPF. These technologies are the building blocks of DMARC as each is
       widely deployed, supported by mature tools, and is readily available to
       both senders and receivers. They are complementary, as each is
       resilient to many of the failure modes of the other."

       DMARC provides a way to exchange authentication information and
       policies among mail servers.

       DMARC benefits domain owners by preventing others from impersonating
       them. A domain owner can reliably tell other mail servers that "if it
       doesn't originate from this list of servers (SPF) and it is not signed
       (DKIM), then reject it!" DMARC also provides domain owners with a means
       to receive feedback and determine that their policies are working as
       desired.

       DMARC benefits mail server operators by providing them with an
       extremely reliable (as opposed to DKIM or SPF, which both have
       reliability issues when used independently) means to block forged
       emails. Is that message really from PayPal, Chase, Gmail, or Facebook?
       Since those organizations, and many more, publish DMARC policies,
       operators have a definitive means to know.


Instructions on how to use the plugin, how to deploy DMARC to protect ones own 
domains, and more is included as POD in the plugin.

Available in the qpsmtpd-dev repo:

        https://github.com/qpsmtpd-dev/qpsmtpd-dev/blob/master/plugins/dmarc


As contrasted to most qpsmtpd plugins, DMARC provides an extremely reliable 
basis for message rejection. Better still, it's based on the published policies 
of the domain the message purports to be from (in the From: header), making it 
complementary to SPF, which checks the Envelope FROM sender.  

If you find that SpamAssassin isn't catching all the forged @google.com emails 
that the Win bots are sending, this plugin will do the trick. It'll also stop 
all the forged [a-z]{6}@yahoo.com spams those senders haven't made it onto a 
DNSBL yet.  The largest *legitimate* email senders have deployed DMARC records. 
 And now I have too. :-)

Matt

Reply via email to