DNS manipulation for SPF and DMARC

[Kevin Bullock]

> On Oct 12, 2017, at 10:03, Augie Fackler <raf at durin42.com> wrote:
> 
> I've done some sniffing around, and it looks like we could at least start figuring out *why* we're getting on this spamhaus list if we would enable DMARC in notify-only mode, and it would definitely help our IP reputation to have an SPF record. So I think we should configure the following DNS entries:
> 
> 
> # We could probably also put "a mx" in here to allow the A and MX
> # records for mercurial-scm.org to transact mail.
> mercurial-scm.org.  IN TXT "v=spf1 ip4:192.81.134.36 ip6:2600:3c01::f03c:91ff:fedb:76b6/64 ~all"
> 
> 
> # rua = "aggregate data reporting address"
> # ruf = "forensic data reporting address"
> # fo = "failure option" -> 1 means "report for any failure"
> # By default this applies to 100% of mail.
> _dmarc.mercurial-scm.org. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc at mercurial-scm.org; ruf=mailto:dmarc at mercurial-scm.org; fo=1"
> 
> 
> 
> and configure dmarc@ to forward to someplace private, but reachable by the sysadmin group. Thoughts?

Sounds reasonable to me.

pacem in terris / мир / शान्ति / ‎‫سَلاَم‬ / 平和
Kevin R. Bullock