DMARCを導入する

前提

• FreeBSD 12.4
• DKIM導入済み

Milterのインストール

pkg install -y opendmarc
sysrc opendmarc_enable=YES
sysrc opendmarc_socketspec=local:/var/run/opendmarc/socket

/usr/local/etc/mail/opendmarc.conf

--- opendmarc.conf.sample       2024-01-16 04:50:56.000000000 +0900
+++ opendmarc.conf      2024-02-20 15:15:37.950471878 +0900
@@ -25,7 +25,7 @@
 ##  provided, the name of the host running the filter (as returned by the
 ##  gethostname(3) function) will be used.
 #
-# AuthservID name
+AuthservID mail.example.net

 ##  AuthservIDWithJobID { true | false }
 ##     default "false"
@@ -127,7 +127,7 @@
 ##  This list will be concatenated with DomainWhitelist (if provided).
 ##
 #
-# DomainWhitelistFile /usr/local/etc/opendmarc/whitelist.domains
+DomainWhitelistFile /usr/local/etc/mail/opendmarc-whitelist.domains

 ##  DomainWhitelistSize
 ##     default 3000
@@ -166,7 +166,7 @@
 ##  purported sender of the message has requested such reports.  Reports are
 ##  formatted per RFC6591.
 #
-# FailureReports false
+FailureReports true

 ##  FailureReportsBcc (string)
 ##     default (none)
@@ -177,7 +177,7 @@
 ##  If no request is made, they address(es) are used in a To: field.  There
 ##  is no default.
 #
-# FailureReportsBcc postmaster@example.coom
+FailureReportsBcc postmaster@example.net

 ##  FailureReportsOnNone { true | false }
 ##     default "false"
@@ -198,7 +198,7 @@
 ##  email address.  "postmaster" is used in place of the userid if a name
 ##  could not be determined.
 #
-# FailureReportsSentBy USER@HOSTNAME
+FailureReportsSentBy noreply-dmarc-report@example.net

 ##  HistoryFile path
 ##     default (none)
@@ -211,7 +211,7 @@
 ##  rather periodically imported into a relational database from which the
 ##  aggregate reports can be extracted by a tool such as opendmarc-import(8).
 #
-# HistoryFile /var/run/opendmarc.dat
+HistoryFile /var/run/opendmarc/opendmarc.dat

 ##  HoldQuarantinedMessages { true | false }
 ##     default "false"
@@ -232,7 +232,7 @@
 ##  If set, causes mail from authenticated clients (i.e., those that used
 ##  SMTP AUTH) to be ignored by the filter.
 #
-# IgnoreAuthenticatedClients false
+IgnoreAuthenticatedClients true

 ## HoldQuarantinedMessages { true | false }
 ##     default "false"
@@ -256,7 +256,7 @@
 ##  connections are to be ignored by the filter.  If not specified, defaults
 ##  to "127.0.0.1" only.
 #
-# IgnoreHosts /usr/local/etc/opendmarc/ignore.hosts
+IgnoreHosts /usr/local/etc/mail/opendmarc-ignore.hosts

 ##  IgnoreMailFrom domain[,...]
 ##     default (none)
@@ -281,7 +281,7 @@
 ##  Specifies the path to a file that should be created at process start
 ##  containing the process ID.
 #
-# PidFile /var/run/opendmarc.pid
+PidFile /var/run/opendmarc/pid

 ##  PublicSuffixList path
 ##     default (none)
@@ -315,7 +315,7 @@
 ##  evaluation of the message.  Instead, an Authentication-Results header
 ##  field will be added.
 #
-# RejectFailures false
+RejectFailures true

 ##  RejectMultiValueFrom { true | false }
 ##     default "false"
@@ -358,7 +358,7 @@
 ##  either in the configuration file or on the command line.  If an IP
 ##  address is used, it must be enclosed in square brackets.
 #
-# Socket inet:8893@localhost
+Socket local:/var/run/opendmarc/socket

 ##  SoftwareHeader { true | false }
 ##     default "false"
@@ -377,7 +377,7 @@
 ##  message.  This is useful if you want the filter to perform SPF checks
 ##  itself, or because you don't trust the arriving header.
 #
-# SPFIgnoreResults false
+SPFIgnoreResults true

 ##  SPFSelfValidate { true | false }
 ##     default false
@@ -390,14 +390,14 @@
 ##  is also set, it never looks for SPF results in headers and
 ##  always performs the SPF check itself when this is set.
 #
-# SPFSelfValidate false
+SPFSelfValidate true

 ##  Syslog { true | false }
 ##     default "false"
 ##
 ##  Log via calls to syslog(3) any interesting activity.
 #
-# Syslog false
+Syslog true

 ##  SyslogFacility facility-name
 ##     default "mail"
@@ -416,7 +416,7 @@
 ##  with a comma.  The key word "HOSTNAME" will be replaced by the name of
 ##  the host running the filter as reported by the gethostname(3) function.
 #
-# TrustedAuthservIDs HOSTNAME
+TrustedAuthservIDs mail.example.net,mail2.example.net

 ##  UMask mask
 ##     default (none)
@@ -437,4 +437,4 @@
 ##  The process will be assigned all of the groups and primary group ID of
 ##  the named userid unless an alternate group is specified.
 #
-# UserID opendmarc
+UserID mailnull:mailnul

/usr/local/etc/mail/opendmarc-ignore.hosts

127.0.0.1
::1
192.168.1.0/24
2001:db8:1::/64

/usr/local/etc/mail/opendmarc-whitelist.domains

example.com
mail.example.com

Sendmailの設定

/etc/mail/sendmail.cf

+ O InputMailFilters=dkim-milter, dmarc-milter
+ Xdmarc-milter, S=local:/var/run/opendmarc/socket, F=T, T=R:2m

DNSの設定

/usr/local/etc/namedb/primary/example.com.zone

+ _dmarc          3600    IN      TXT     "v=DMARC1; p=reject; pct=100; adkim=s; aspf=r; ruf=mailto:ruf@example.com; rua=mailto:rua@example.com"
+ _dmarc.mail     3600    IN      TXT     "v=DMARC1; p=reject; pct=100; adkim=s; aspf=r; ruf=mailto:ruf@example.com; rua=mailto:rua@example.com"