Skip to main content

Deploying DMARC

The Halon platform has support for DMARC (Domain-based Message Authentication, Reporting and Conformance); the first widely deployed technology that can make the "From" header (what users see as the sender address in their e-mail clients) trustworthy.

Validation

Building upon our DKIM library, we were one of the first e-mail gateway products to incorporate DMARC validation. All users should consider enabling validation as it will block messages with From header addresses that fakes DMARC-protected domains such as "paypal.com" and "linkedin.com". DMARC is already widely deployed by domains that are being abused by scammers, and more companies join in every day.

Sending reports

If you do DMARC validation, you can contribute by sending aggregated DMARC reports to whom are interested in receiving them. This will not improve your systems DMARC accuracy but it will help the community (having that said, if you do not receive lots of traffic, the burden for you to send reports may out weight the benefit for the community). We recommend using OpenDMARC's reporting tools, which can be integrated with your Halon e-mail security system using our import script. On your Halon system; enable syslog to a remote server, install OpenDMARC and our tool on that server, and schedule them to run daily using for example a logrotate script such as

/var/log/halon.log {
       daily
       postrotate
               reload rsyslog >/dev/null 2>&1
               opendmarc-halonlog < /var/log/halon.log.1 | opendmarc-import
               opendmarc-reports
               true
       endscript
}

Signing and receiving reports

DMARC is based on DKIM and SPF, in order to reuse as much existing infrastructure and configuration as possible. If you feel that your domain could be used by scammers, the process to start using DMARC signing is

  1. Enable SPF, which could be as simple as the TXT record v=spf1 +mx -all (but this depends on your current infrastructure)

    • Because bounces typically don't have DKIM signatures or a envelope sender address, consider adding SPF to your mail server's HELO name as well

  2. Enable DKIM signing for outbound messages

  3. Enable DMARC testing; a TXT record named _dmarc such as v=DMARC1; p=none; rua=mailto:[email protected] will allow you to see how many DMARC rejects you produce without affecting deliveries

  4. If you're satisfied with the reports of you testing DMARC, change p=none to p=reject

There are third-party tools that analyses the XML reports you receive, such as (no affiliation)