NAME

Mail::Milter::Authentication::Handler::DMARC - Handler class for DMARC

VERSION

version 3.20241024

DESCRIPTION

Module implementing the DMARC standard checks.

This handler requires the SPF and DKIM handlers to be installed and active.

CONFIGURATION

"DMARC" : {                                        | Config for the DMARC Module
                                                   | Requires DKIM and SPF
    "hard_reject"           : 0,                   | Reject mail which fails with a reject policy
    "no_reject_disposition" : "quarantine",        | What to report when hard_reject is 0
    "no_list_reject"        : 0,                   | Do not reject mail detected as mailing list
    "arc_before_list"       : 0,                   | Don't apply above list detection if we have trusted arc
    "no_list_reject_disposition" : "none",         | Disposition to use for mail detected as mailing list (defaults none)
    "reject_on_multifrom"     : 20,                | Reject mail if we detect more than X DMARC entities to process
    "quarantine_on_multifrom" : 15,                | Quarantine mail if we detect more than X DMARC entities to process
    "strict_multifrom"        : 1,                 | If set, reject/quarantine (based on hard_reject) when there are multiple
                                                   | rfc5322 domains present. DMARC processing/reporting will continue as usual
                                                   | as defined by *_on_multifrom settings above.
    "skip_on_multifrom"       : 10,                | Skip further processing if we detect more than X DMARC entities to process
    "whitelisted"           : [                    | A list of ip addresses or CIDR ranges, or dkim domains
        "10.20.30.40",                             | for which we do not want to hard reject mail on fail p=reject
        "dkim:bad.forwarder.com",                  | (valid) DKIM signing domains can also be whitelisted by
        "20.30.40.0/24"                            | having an entry such as "dkim:domain.com"
    ],
    "policy_rbl_lookup"     : {                    | Optionally lookup the from domain in a rbl and add a policy entry
      "foo" : {                                    | the policy to add, this will translate to policy.foo 
        "rbl" : "foo.rbl.example.com",             | The RBL to use for this lookup
        "results" : {                              | Mapping of rbl results to policy entries
          "127.0.0.1" : "one",                     | A result of IP will give a corresponding policy entry
          "127.0.0.2" : "two",
          "*" : "star"                             | Fallback to the '*' entry if not found.
                                                   |   defaults to 'pass' if no entries and no fallback found
        }
      }
    },
    "use_arc"             : 1,                     | Use trusted ARC results if available
    "hide_none"           : 0,                     | Hide auth line if the result is 'none'
    "detect_list_id"      : "1",                   | Detect a list ID and modify the DMARC authentication header
                                                   | to note this, useful when making rules for junking email
                                                   | as mailing lists frequently cause false DMARC failures.
    "report_skip_to"     : [                       | Do not send DMARC reports for emails to these addresses.
        "dmarc@yourdomain.com",                    | This can be used to avoid report loops for email sent to
        "dmarc@example.com"                        | your report from addresses.
    ],
    "report_suppression_list" : "rbl.example.com", | RBL used to look up Org domains for which we want to suppress reporting
    "report_suppression_email_list" : "rbl.examp", | RBL used to look up hashed email addresses for which we want to suppress reporting
    "no_report"          : "1",                    | If set then we will not attempt to store DMARC reports.
    "hide_report_to"     : "1",                    | If set, remove envelope_to from DMARC reports
    "config_file"        : "/etc/mail-dmarc.ini"   | Optional path to dmarc config file
},

AUTHOR

Marc Bradshaw <marc@marcbradshaw.net>

COPYRIGHT AND LICENSE

This software is copyright (c) 2020 by Marc Bradshaw.

This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.