Fight against spam part 3 – Postfix DMARC

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email validation system designed to detect and prevent email spoofing. It provides a mechanism which allows a receiving organization to check that incoming mail from a domain is authorized by that domain’s administrators and that the email (including attachments) has not been modified during transport – Wikipedia


This is a continuation of topic about fighting against spam when you are self-hosting your mail server which in this case should be Postfix, previously we did finish confguration of SPF and DKIM.


Install needed package:

Configure it with basic configuration:

But thats not all, lets create folder:

And add host that will be excluded from scanning – us !?!

Assuming we used previous post about fighting with spam we should have DKIM on port 12301 so we can user port 54321 for DMARC:

Let us start opendmarc to ensure we don’t have any typo in configuration file:


We need to enable support for this technic in postfix:

Remamber that smtpd-milters and non_smtpd_milters was previously configurated with DKIM so now we have two values as the second is DMARC 🙂

Reload our postfix so he can use DMARC:


Knowing that DMARC use DKIM and SPF we will have to add another TXT record to our DNS. Internet is full of DMARC wizards to create different configuration, for now we can use the one provided here:


Normaly alot of people end the configuration here but that is not fully implemented DMARC. They forget about exchanging reports between mail servers. This is way we can fix this:

Those line and in schema.mysql but are commented, just uncomment them so we will create proper user for opendmarc

Read and execute schema:

Create script that will make reports for us:

We need to add that script to cron to make it work multiply times:


It is a good practice to view reports that we send to external mail servers, we will achive this in postfix this way:

Just one more restart of service and we are ready to go:


To test DMARC we need to send email from our server to external server that support DMARC and send it from there to us. For example GMail does support this.

In mail header there should be DMARC header. But remamber to delete debug header in configuration after checking if our configuration works alright:

Quick restart:



Rest post related to this topic:

Postfix i Dovecot – perfect duo for mail server

Fight against spam part 1 – Postfix SPF

Fight against spam part 2 – Postfix DKIM

Fight against spam part 4 – Postfix SpamAssassin

Fight against spam part 5 – Dovecot Sieve



Leave a Reply

Your email address will not be published. Required fields are marked *