this post was submitted on 01 Jun 2025
5 points (100.0% liked)

Australian Tech

202 readers
1 users here now

For techs and techy stuff.

founded 1 year ago
MODERATORS
lodion@aussie.zone
5
Reject mail that does not have a DMARC policy enabled (aussie.zone)
submitted 3 weeks ago by maniacalmanicmania@aussie.zone to c/austech@aussie.zone
2 comments fedilink hide all child comments
 

I'm crossposting this in case any locals know how to do this. I'm at a loss.

cross-posted from: https://aussie.zone/post/21115161

How can I reject mail that does not have a DMARC policy enabled? Using Postfix 3.6.4 and OpenDMARC 1.4.2.

you are viewing a single comment's thread
view the rest of the comments
[โ€“] Jerry@feddit.online 6 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

Some points:

  1. Many companies still send email without DMARC policies in their DNS. You'd be throwing away emails you ought to read.
  2. Why just no DMARC? Why aren't you also wanting to toss DMARC policies of p=none? What's the difference between, "I don't care, so I didn't set up a DMARC policy" and "I set up a DMARC policy so people stop complaining, but I turned it off because I don't care?" The result, for you, is identical. Spoofed emails will get delivered.
  3. A policy of p=quarantine is almost as bad. So spoofed email ends up in the spam folder along with a bunch of email that isn't a problem. We've been trained to not trust spam folders.
  4. If it isn't a policy of "reject" the email just can't be trusted is the bottom line.
  5. A lot of spam comes in from domains with a DMARC policy, even with a reject policy because the email passes the SPF check because it came from either their own email server or a compromised one or passes DKIM checks.

Your idea of tossing email without DMARC will not give you the results you hope for. You'll miss important emails, and you'll still get a steady flow of spam.

BTW, an extremely well-known cybersecurity expert's newsletter (Brian Krebs) goes out from a domain that is missing a DMARC policy! This just shows how not used it is.

I have checks in my email client and I put red tags on emails that aren't p=reject or that fail SPF or DKIM checks, so I'm extra careful. This is better than just tossing email with no DMARC policy.

I know this doesn't answer your question, but maybe you should think about whether you really want to do this.

[โ€“] voracitude@lemmy.world 1 points 2 weeks ago* (last edited 2 weeks ago)

Okay, something I don't get. Why is setting a specific DMARC policy more effective or desired than always strictly checking that SPF and DKIM pass on the receiving end? Gotta have both of those set up anyway for DMARC to pass, and the advice to small business owners from Big Tech in 2025 is still that DMARC isn't mandatory for "small senders" (less than 1000 emails a month I think is he criterion). DMARC just seems like extra cruft, if it requires SPF and DKIM to be aligned in order for your email to pass it when everything is properly configured.

Edit: I should make clear as well, I understand DMARC has uses other than setting the policy, but since we're talking about the policy specifically I'm playing devil's advocate a bit. Though I am honestly not sure I understand the argument for requiring DMARC on the sender's end to tell you how to handle their mail in the event of authentication failure, instead of simply requiring strict alignment for SPF and DKIM specifically in your spam filter settings.