DMARCを導入する

前提

• FreeBSD 12.4
• DKIM導入済み

Milterのインストール

pkg install -y opendmarc
sysrc opendmarc_enable=YES
sysrc opendmarc_socketspec=local:/var/run/opendmarc/socket

/usr/local/etc/mail/opendmarc.conf

--- opendmarc.conf.sample       2022-04-07 23:51:15.000000000 +0900
+++ opendmarc.conf      2023-02-24 01:43:31.524053000 +0900
@@ -26,6 +26,7 @@
 ##  gethostname(3) function) will be used.
 #
 # AuthservID name
+AuthservID HOSTNAME

 ##  AuthservIDWithJobID { true | false }
 ##     default "false"
@@ -128,6 +129,7 @@
 ##
 #
 # DomainWhitelistFile /usr/local/etc/opendmarc/whitelist.domains
+DomainWhitelistFile /usr/local/etc/mail/opendmarc-whitelist.domains

 ##  DomainWhitelistSize
 ##     default 3000
@@ -167,6 +169,7 @@
 ##  formatted per RFC6591.
 #
 # FailureReports false
+FailureReports true

 ##  FailureReportsBcc (string)
 ##     default (none)
@@ -178,6 +181,7 @@
 ##  is no default.
 #
 # FailureReportsBcc postmaster@example.coom
+FailureReportsBcc postmaster@example.com

 ##  FailureReportsOnNone { true | false }
 ##     default "false"
@@ -199,6 +203,7 @@
 ##  could not be determined.
 #
 # FailureReportsSentBy USER@HOSTNAME
+FailureReportsSentBy noreply-dmarc-report@example.com

 ##  HistoryFile path
 ##     default (none)
@@ -233,6 +238,7 @@
 ##  SMTP AUTH) to be ignored by the filter.
 #
 # IgnoreAuthenticatedClients false
+IgnoreAuthenticatedClients true

 ## HoldQuarantinedMessages { true | false }
 ##     default "false"
@@ -257,6 +263,7 @@
 ##  to "127.0.0.1" only.
 #
 # IgnoreHosts /usr/local/etc/opendmarc/ignore.hosts
+IgnoreHosts /usr/local/etc/mail/opendmarc-ignore.hosts

 ##  IgnoreMailFrom domain[,...]
 ##     default (none)
@@ -315,6 +322,7 @@
 ##  field will be added.
 #
 # RejectFailures false
+RejectFailures true

 ##  RejectMultiValueFrom { true | false }
 ##     default "false"
@@ -377,6 +385,7 @@
 ##  itself, or because you don't trust the arriving header.
 #
 # SPFIgnoreResults false
+SPFIgnoreResults true

 ##  SPFSelfValidate { true | false }
 ##     default false
@@ -390,6 +399,7 @@
 ##  always performs the SPF check itself when this is set.
 #
 # SPFSelfValidate false
+SPFSelfValidate true

 ##  Syslog { true | false }
 ##     default "false"

/usr/local/etc/mail/opendmarc-ignore.hosts

127.0.0.1
::1
192.168.1.0/24
2001:db8:1::/64

Sendmailの設定

/etc/mail/sendmail.cf

+ O InputMailFilters=dkim-milter, dmarc-milter
+ Xdmarc-milter, S=local:/var/run/opendmarc/socket, F=T, T=R:2m

DNSの設定

/usr/local/etc/namedb/primary/example.com.zone

+ _dmarc          3600    IN      TXT     "v=DMARC1; p=reject; pct=100; adkim=s; aspf=r; ruf=mailto:ruf@example.com; rua=mailto:rua@example.com"