Re: [exim] DMARC DKIM ?????

Top Page
Delete this message
Reply to this message
Author: Todd Lyons
Date:  
CC: exim-users
Subject: Re: [exim] DMARC DKIM ?????
On Mon, Oct 28, 2013 at 10:13 PM, eximmail <eximmail@???> wrote:
> OK so my server hosts several domains. I have successfully setup DKIM and
> everyone is passing using the main server as the outgoing SMTP.
> The problem I am having is that the DMARC fails for all domains but the main
> server.
> What I want to do is send from main.server.com and have user@???
> pass the DMARC and all searches have failed for a simple fix for a simple
> idiot. Everything found is for Debian and others. I have tried some to no
> satisfaction.
> I am running Exim 4.80.1, Dovecot on SUSE 12.3 I am at wits end can anyone
> shed some light or suggest a how to to make this work? (or even a good tut
> for a dummy's "R" us)


One of the nice things about DMARC is that for simple sender use, you
really don't have to do anything to your mail server other than
configure DKIM signing for the correct domain. You configure DNS
records for the domain that you want to assert reputation
control/feedback over (SPF, DKIM, DMARC) and that's it.

You obfuscated your domains, so it's impossible for us to give you
much more than educated guesses and generic feedback:

1. Configure your mail server to DKIM sign emails from whatever.com
with a selector in whatever.com. (DKIM "alignment" means that the
header From and the dkim signature are in the same domain).
2. Create and set DMARC record for whatever.com in public DNS.
3. Make sure to set a ruf in that DMARC record to send feedback to
whatever email address you will look over those feedback (ARF
formatted, XML) emails. It usually takes a day or two for your new
dmarc records to generate enough messages for feedback to start coming
in from the big providers. [2]
4. Fix any SPF or DKIM signing issues that you see in those emails
(results shown in [2])
5. If failures come from IP's you don't control, then: a) the customer
is maybe sending from another mail server, b) someone is spoofing your
sender domain. ([2] gives a good view of how much of that is
misconfiguration versus spoofing attempts)

[1] A good overview is at
https://support.google.com/a/answer/2466563?hl=en and a good record
creator is http://kitterman.com/dmarc/assistant.html
[2] Consider creating an account at dmarcian.com or dmarcanalyzer.com
(both are free for small volume below some threshold) to see summaries
of

Configuring your Exim server to be a site that checks DMARC and can
make decisions based on policy results requires an upgrade to Exim
4.82, install opendmarc libraries, rebuild with Experimental_DMARC
enabled, and add a few config settings. Configuring your Exim server
to collects statistics on dmarc and sends it out to those who request
it requires the same as checking DMARC but will have more config
options required as well as setting up a database and some cron jobs.

...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine