SPF, DKIM, DMARC, SSL, TLS

[IceWarp 메일서버] DNS에서 DMARC 레코드 설정

ICEWARP 이메일서버 avastkorea 2021. 8. 9. 14:44

DMARC는 메일서버에서 이용하는 설정이기는 하지만, DNS 서버에서 TXT 레코드로 등록하여 처리하게 됩니다. 유효한 DMARC 레코드를 설정하기 위해서는 몇가지 DMARC 유효성 체크를 위한 사이트를 통해 검증해 보실 수 있습니다.

 

예를 들면 다음과 같은 사이트를 통해 검증해 볼 수 있습니다 :

 

- https://dmarcian.com/dmarc-inspector/

- https://mxtoolbox.com/SuperTool.aspx

- https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/

 

DNS 서버에서 설정은 간단합니다 :

 

- TXT  형식으로 추가하고

- 레코드 이름 : _dmarc 으로 입력하면 됩니다.

- 텍스트 값은 : v=DMARC1; p=quarantine; rua=mailto:메일주소; adkim=r; aspf=r 와 같이 입력하면 됩니다.

 

 

기본 DMARC의 태그는 다음과 같습니다

tag explanation
v DMARC protocol version.
p Apply this policy to apply to email that fails the DMARC check. Can be “none”, “quarantine”, or “reject”. “none” is used to collect the DMARC report and gain insight into the current email flows and their status.
rua A list of URIs for ISPs to send XML feedback to. NOTE: this is not a list of email addresses. DMARC requires a list of URIs of the form “mailto:test@example.com”.
ruf A list of URIs for ISPs to send forensic reports to. NOTE: this is not a list of email addresses. DMARC requires a list of URIs of the form “mailto:test@example.org”.
rf The reporting format for forensic reports. This can be either “afrf” or “iodef”.
pct The percentage tag instructs ISPs to only apply the DMARC policy to a percentage of failing email’s. “pct=50” will tell receivers to only apply the “p=” policy 50% of the time against emails that fail the DMARC check. NOTE: this will not work for the “none” policy, but only for “quarantine” or “reject” policies.
adkim Specifies the “Alignment Mode” for DKIM signatures, this can be either “r” (Relaxed) or “s” (Strict). In Relaxed mode also authenticated DKIM signing domains (d=) that share an Organizational Domain with an emails ‘From’ domain will pass the DMARC check. In Strict mode an exact match is required.
aspf Specifies the “Alignment Mode” for SPF, this can be either “r” (Relaxed) or “s” (Strict). In Relaxed mode also authenticated SPF domains that share an Organizational Domain with an emails ‘From’ domain will pass the DMARC check. In Strict mode an exact match is required.
sp This policy should be applied to email from a sub-domain of this domain that fails the DMARC check. Using this tag domain owners can publish a “wildcard” policy for all subdomains.
fo Forensic options. Allowed values: “0” to generate reports if both DKIM and SPF fail, “1” to generate reports if either DKIM or SPF fails to produce a DMARC pass result, “d” to generate report if DKIM has failed or “s” if SPF failed.
ri The reporting interval for how often the aggregate XML reports are send. This is a preference and ISPs could (and most likely will) send the report at different intervals (normally this will be daily).