Using DMARC to reduce incoming email spam.
-
If you go to cPanel>>Domains>>Zone Editor You should see the ability to create a dmarc record for your domains, if you do not your provider may need to add this feature to your hosting plan 0 -
I'm of the understanding that Dmarc verifies to other email servers that your sending domain is legitimate. "A DMARC policy allows a sender to indicate that their messages are protected by DKIM, and tells a receiver what to do if neither of those authentication methods passes " such as junk or reject the message. DMARC removes guess work from the receiver"s handling of these failed messages, limiting or eliminating the user"s exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation. " In other words, if someone is pretending to be you and spamming from a different server, then dmarc will help to reduce spam, however, it won't reduce spam hitting your server. I've no idea from your profile what level of operator you are. If you are a root admin, consider utilising custom RBL's in exim config. There are a number of options, but I don't think DMARC is one of them. But don't quote me on this :) 0 -
The OP is asking - How do I tell my MTA to respect DMARC records for other domains when receiving mail.
If that's the case then I believe some understanding of how this works with exim is necessary: [QUOTE=http://exim.org/exim-html-current/doc/html/spec_html/ch-dkim_spf_and_dmarc.html] By default, the DMARC processing will run for any remote, non-authenticated user. It makes sense to only verify DMARC status of messages coming from remote, untrusted sources. You can use standard conditions such as hosts, senders, etc, to decide that DMARC verification should *not* be performed for them and disable DMARC with an ACL control modifier:control = dmarc_disable_verify
This is the default config nothing should need to be done.0 -
Hi cPanelLauren This is the default config nothing should need to be done.
Can you please clarify this statement. It is my understanding that DMARC must be compiled into Exim first and it is apparently not included in a default cPanel / WHM / CentOS / CloudLinux build according to this test: #exim -bV Support for: crypteq iconv() IPv6 PAM Perl OpenSSL Content_Scanning DANE DKIM DNSSEC Event I18N OCSP PIPE_CONNECT PRDR SPF Experimental_SRS Notably missing from that list of acronyms is DMARC. A related Feature Request is here: Enable DMARC support on exim Are you suggesting that the Feature Request is not required as the feature already exists ?0 -
I spoke with the email development team and confirmed the feature request is still valid, but not something that is currently on the radar due to the work with Mail Node and Ubuntu support. 0 -
DMARC is designed to reduce spam and phishing attacks, but only from the viewpoint of an email sender. Senders of email can protect their domains from being used as phishing targets. 0 -
Hi pintudason I am not clear on the purpose of your post, but I think the point of the thread has been missed. [QUOTE]DMARC is designed to reduce spam and phishing attacks, but only from the viewpoint of an email sender.
Designed to help reduce bad email is accurate, but I would disagree on the viewpoint. DMARC is a policy deployment and management tool. It is controlled by a domain owner. It is to provide the domain owner with the opportunity to advise email receivers of the appropriate tests and actions a receiving server should take when receiving an email purporting to be from the owners domain. DMARC is very much about both sending and receiving email. [QUOTE]Senders of email can protect their domains from being used as phishing targets.
CPanel servers are configured to tell remote servers all about DMARC via the DNS server for the domains hosted on that server. That is a DNS configuration not Email. However, Exim Mail Server on CPanel is NOT configured to inspect DMARC settings when receiving email for any domains, remote or local. Exim on CPanel will NOT prevent spoofed email being received and accepted regardless of the DMARC settings of the spoofed domain. Clearly, if a domain owner hosts email on a CPanel Server, then "Senders of email CANNOT protect their domains from being used as phishing targets." Disappointingly, CPanel servers / Exim mail are not checking any DMARC settings when receiving email and do not have the tools available to do so. For anyone reading this thread, please upvote the Feature Request here:0 -
By Feb 2024, SPF, DKIM, and DMARC with p=quarantine or p=reject will be required for all emails sent to Gmail and Yahoo. cPanel should be working towards enforcing the same policies. When the vast majority of spam is eliminated, SMTP will finally have a chance to compete vs social media and other proprietary instant messaging.
https://www.litmus.com/blog/new-yahoo-gmail-email-deliverability-rules
0 -
The second paragraph of that says "If you send more than 5,000 daily emails". so this will apply to some, but not all domains.
1 -
Correct, but it's a best practice either way, especially if you want to protect against phishing. Plus it's also required for BIMI logos, which every marketing department or small business owner or even individuals should love as they're equivalent to social media avatars. And my bet is that eventually it will be required for all senders regardless of their volume.
Anyhoo my point was that cPanel needs to enact the same policies to help SMTP compete and be a better protocol.
Also it seems that many people are confusing the original topic with DMARC for their outbound emails, but this is about protection against incoming spam, which is why it's important for the receiving SMTP server to require DMARC with p=quarantine or ideally p=reject.
0
Please sign in to leave a comment.
Comments
10 comments