DMARC will use the result of SPF and DKIM verification to prevent spoofing emails.
OpenDMARC will check the SPF and DKIM verification result headers (already added by other milters) to determine what to do.

Please note that milter-greylist and OpenDKIM (or equivalent applications) must be set up before this step.

Install

# apt install opendmarc

The installer will ask for the database configuration. Since MariaDB should be ready, so let the dbconfig-common set it up.

• A user 'opendmarc'@'localhost' will be created
• MySQL application password can be left blank to automatically generate one
• The database 'opendmarc' will be created

Configure

OpenDMARC

Cf. OpenDMARC official site
The configuration file is located at /etc/opendmarc.conf.

Change the socket location.

##  Socket socketspec
##      default (none)
##
##  Specifies the socket that should be established by the filter to receive
##  connections from sendmail(8) in order to provide service.  socketspec is
##  in one of two forms: local:path, which creates a UNIX domain socket at
##  the specified path, or inet:port[@host] or inet6:port[@host] which creates
##  a TCP socket on the specified port for the appropriate protocol family.
##  If the host is not given as either a hostname or an IP address, the
##  socket will be listening on all interfaces.  This option is mandatory
##  either in the configuration file or on the command line.  If an IP
##  address is used, it must be enclosed in square brackets.
#
Socket local:/var/spool/postfix/opendmarc/opendmarc.sock

Add some configurations to /etc/opendmarc.conf.

# Require RFC5322 complient headers
RequiredHeaders true

# Skip if authenticated
IgnoreAuthenticatedClients true

Make the socket location and configure ownership, then restart OpenDMARC.

# mkdir /var/spool/postfix/opendmarc
# chown opendmarc:opendmarc /var/spool/postfix/opendmarc
# adduser postfix opendmarc
# systemctl restart opendmarc

milter-greylist

OpenDMARC needs the result of SPF check. To add the "Authentication-Results" header with milter-greylist, follow the instructions in the milter-greylist article.

Postfix

Add OpenDMARC milter after SPF and DKIM verification. Edit /etc/postfix/main.cf.

smtpd_milters =
 unix:/milter-greylist/milter-greylist.sock
 unix:/opendkim/opendkim.sock
 unix:/opendmarc/opendmarc.sock
 unix:/clamav/clamav-milter.ctl

Restart Postfix.

# systemctl restart postfix

Test

When receiving an email from gmail, it should have a dmarc verification result line.

Authentication-Results: mail.example.jp; dmarc=pass (p=none dis=none) header.from=gmail.com

Additional configuration

The default configuration always "accepts" even if DMARC verification fails. You can use the Authentication-Results header to find out which one failed at the verification.
If you want to reject whenever verification fails, it's possible. Edit /etc/opendmarc.conf as shown below.

##  RejectFailures { true | false }
##      default "false"
##
##  If set, messages will be rejected if they fail the DMARC evaluation, or
##  temp-failed if evaluation could not be completed.  By default, no message
##  will be rejected or temp-failed regardless of the outcome of the DMARC
##  evaluation of the message.  Instead, an Authentication-Results header
##  field will be added.
#
RejectFailures true  # Uncomment this line and change to true

To avoid unintentional rejects, enable this option after checking everything is working fine.

Update History

2020-03-28

• Add "IgnoreAuthenticatedClients" configuration

2021-09-19

• Update to Bullseye version
• Add "RequiredHeaders" and "RejectFailures" configurations

2021-09-26

• Delete /etc/default/ part

This work is licensed under a Creative Commons Attribution 4.0 International License.

Back to top