Fight against spam part 3 – Postfix DMARC

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email validation system designed to detect and prevent email spoofing. It provides a mechanism which allows a receiving organization to check that incoming mail from a domain is authorized by that domain’s administrators and that the email (including attachments) has not been modified during transport – Wikipedia


This is a continuation of topic about fighting against spam when you are self-hosting your mail server which in this case should be Postfix, previously we did finish confguration of SPF and DKIM.


Install needed package:

apt-get install opendmarc

Configure it with basic configuration:

#vim /etc/opendmarc.conf

PidFile /var/run/ #Debian default
RejectFailures false
Syslog true
UMask 0002
UserID opendmarc:opendmarc
IgnoreHosts /etc/opendmarc/ignore.hosts
HistoryFile /var/run/opendmarc/opendmarc.dat
#only for debugging we can add the line below
SoftwareHeader true

But thats not all, lets create folder:

mkdir /etc/opendmarc/

And add host that will be excluded from scanning – us !?!

#vim /etc/opendmarc/ignore.hosts


Assuming we used previous post about fighting with spam we should have DKIM on port 12301 so we can user port 54321 for DMARC:

#vim /etc/default/opendmarc

Let us start opendmarc to ensure we don’t have any typo in configuration file:

/etc/init.d/opendmarc start


We need to enable support for this technic in postfix:

#vim /etc/postfix/


Remamber that smtpd-milters and non_smtpd_milters was previously configurated with DKIM so now we have two values as the second is DMARC 🙂

Reload our postfix so he can use DMARC:

/etc/init.d/postfix reload


Knowing that DMARC use DKIM and SPF we will have to add another TXT record to our DNS. Internet is full of DMARC wizards to create different configuration, for now we can use the one provided here: TXT "v=DMARC1; p=quarantine;;; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400"


Normaly alot of people end the configuration here but that is not fully implemented DMARC. They forget about exchanging reports between mail servers. This is way we can fix this:

#vim /usr/share/doc/opendmarc/schema.mysql
CREATE USER 'opendmarc'@'localhost' IDENTIFIED BY 'changeme';
GRANT ALL ON opendmarc.* to 'opendmarc'@'localhost';

Those line and in schema.mysql but are commented, just uncomment them so we will create proper user for opendmarc

Read and execute schema:

mysql -u root -p < schema.mysql

Create script that will make reports for us:

#vim /etc/opendmarc/report_script



mv ${WORK_DIR}/opendmarc.dat ${WORK_DIR}/opendmarc_import.dat -f
cat /dev/null > ${WORK_DIR}/opendmarc.dat

/usr/sbin/opendmarc-import --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose < ${WORK_DIR}/opendmarc_import.dat
/usr/sbin/opendmarc-reports --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose --interval=86400 --report-email $REPORT_EMAIL --report-org $REPORT_ORG
/usr/sbin/opendmarc-expire --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose

We need to add that script to cron to make it work multiply times:

chmod +x /etc/opendmarc/report_script

# first test the script before adding it to cron
su -c "/etc/opendmarc/report_script" -s /bin/bash opendmarc

#vim /etc/crontab

1 0 * * * opendmarc /etc/opendmarc/report_script


It is a good practice to view reports that we send to external mail servers, we will achive this in postfix this way:

#vim /etc/postfix/

sender_bcc_maps = hash:/etc/postfix/bcc_map

#vim /etc/postfix/bcc_map

postmap /etc/postfix/bcc_map

Just one more restart of service and we are ready to go:

/etc/init.d/postfix restart


To test DMARC we need to send email from our server to external server that support DMARC and send it from there to us. For example GMail does support this.

In mail header there should be DMARC header. But remamber to delete debug header in configuration after checking if our configuration works alright:

#vim /etc/opendmarc.conf

#SoftwareHeader true

Quick restart:

/etc/init.d/opendmarc restart



Rest post related to this topic:

Postfix i Dovecot – perfect duo for mail server

Fight against spam part 1 – Postfix SPF

Fight against spam part 2 – Postfix DKIM

Fight against spam part 4 – Postfix SpamAssassin

Fight against spam part 5 – Dovecot Sieve


Leave a Reply

Your email address will not be published. Required fields are marked *