DNS manipulation for SPF and DMARC

Augie Fackler raf at durin42.com
Mon Nov 6 15:31:35 EST 2017


On Oct 12, 2017, at 13:05, Anton Shestakov <av6 at dwimlabs.net> wrote:

On Thu, 12 Oct 2017 11:03:01 -0400
Augie Fackler <raf at durin42.com> wrote:

I've done some sniffing around, and it looks like we could at least start
figuring out *why* we're getting on this spamhaus list if we would enable
DMARC in notify-only mode, and it would definitely help our IP reputation
to have an SPF record. So I think we should configure the following DNS
entries:


# We could probably also put "a mx" in here to allow the A and MX
# records for mercurial-scm.org to transact mail.
mercurial-scm.org.  IN TXT "v=spf1 ip4:192.81.134.36
ip6:2600:3c01::f03c:91ff:fedb:76b6/64 ~all"


If you decide to put "a mx" here (it definitely makes sense doing that),
you won't need to hardcode the IP addresses. That way whatever's
checking SPF on the other end will resolve A and AAAA for
"mercurial-scm.org" and its configured MX hosts in the process of
validating.

...except without the /64 in ipv6 field, but are you sure you're using
multiple IPv6 addresses from that subnet on the server for email?
Addresses that don't resolve back to mercurial-scm.org (try with `dig
-x`) will suffer penalties when trying to deliver mail. So it may be
better to make sure everything uses only one IPv6 address, one that
resolves to mercurial-scm.org. It will also simplify this SPF record
down to "v=spf1 a mx ~all".

If DMARC reports reveal that people pretend to be m-s.o to send spam,
it will help somewhat to change from SoftFail ("~all") to Fail ("-all").

# rua = "aggregate data reporting address"
# ruf = "forensic data reporting address"
# fo = "failure option" -> 1 means "report for any failure"
# By default this applies to 100% of mail.
_dmarc.mercurial-scm.org. IN TXT "v=DMARC1; p=none; rua=mailto:
dmarc at mercurial-scm.org; ruf=mailto:dmarc at mercurial-scm.org; fo=1"


I'd like to link this FAQ entry from dmarc.org about "ruf":

https://dmarc.org/wiki/FAQ#Do_I_want_to_receive_Failure_
Reports_.28ruf.3D.29.3F

It says "[make] sure you are ready to receive a LOT of messages".

Also, not sure how verbose the forensic format is, but some incoming
mail may look a lot like spam, dmarc at m-s.o will probably need to accept
that?



Okay, given that, let's do this for now:

mercurial-scm.org.  IN TXT "v=spf1 a mx ~all"
# rua = "aggregate data reporting address"
# ruf = "forensic data reporting address"
# fo = "failure option" -> 1 means "report for any failure"
# By default this applies to 100% of mail.
_dmarc.mercurial-scm.org. IN TXT "v=DMARC1; p=none; rua=mailto:
dmarc at mercurial-scm.org; ruf=mailto:dmarc at mercurial-scm.org; fo=1"

If the raging torrent of mail to dmarc@ proves too dire, we'll tune things.

Kevin, we're ready for mpm to make the DNS change, right?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.mercurial-scm.org/pipermail/mercurial-devel/attachments/20171106/9d72f615/attachment.html>


More information about the Mercurial-devel mailing list