Re: [dmarc-discuss] DMARC and vanity domains

[Marko Nix via dmarc-discuss]

Hi Marc,

your idea is right in my opinion.

You do need a valid SPF (but may be a „-all“ thats your choice, because you 
don’t send for that domain mails) record. But no DKIM, because you don’t send 
emails.

But enough of talking, i think an example helps more:

Domain 1 (master)
_dmarc                          IN      TXT ("v=DMARC1; p=quarantine; 
sp=reject; fo=1; aspf=r; adkim=s;"
                                             "rua=mailto:dm...@tech-nicks.de; 
ruf=mailto:dm...@tech-nicks.de;";)

Domain 2 (no real use)
@                       IN      TXT             "v=spf1 -all"
_dmarc                  IN      TXT             ("v=DMARC1; p=reject; 
sp=reject; fo=1; aspf=s; adkim=s;"
                                                 
"rua=mailto:dm...@tech-nicks.de; ruf=mailto:dm...@tech-nicks.de;“)

But you have to allow other domains receiving reports. For me it is an other 
domain i own.

Domain 3 (where the reports go)
(its own dmarc record - left out because does not matter here)
tierheilpraxis-nix.de._report._dmarc IN TXT "v=DMARC1"
thp-nix.de._report._dmarc       IN      TXT "v=DMARC1“

So its that what you have written I think. Do not waste time on DKIM - you 
don’t send, you don’t need it.

Hope it helps.

Kind regards,
Marko

> Am 25.08.2017 um 19:22 schrieb Marc Luescher via dmarc-discuss 
> <dmarc-discuss@dmarc.org>:
> 
> Hi there,
> 
> we are setting up a lot of vanity domains to make sure they can not be used 
> for abuse.
> 
> main domain fresenius.com
> vanity 1 fressenius.com etc
> 
> My idea was to just to create a DMARC record like :
> v=DMARC1; p=reject; 
> rua=mailto:71676...@mxtoolbox.dmarc-report.com,mailto:92ef88808ad6...@rep.dmarcanalyzer.com,mailto:yjgni...@ag.dmarcian.com;ruf=mailto:92ef88808ad6...@for.dmarcanalyzer.com,mailto:yjgni...@ag.dmarcian.com
>  
> <mailto:92ef88808ad6...@rep.dmarcanalyzer.com,mailto:yjgni...@ag.dmarcian.com;ruf=mailto:92ef88808ad6...@for.dmarcanalyzer.com,mailto:yjgni...@ag.dmarcian.com>;
>  sp=reject; fo=1;
> 
> for all newly registered vanity domians and to authorize it in the master 
> domain. Would this be best practice or do we need for every vanity domain 
> also a valid SPF and/or DKIM record to be fully compliant. I did not find any 
> guideline how to do this.
> 
> Thank you
> 
> Marc
> 
> _______________________________________________
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
> 
> NOTE: Participating in this list means you agree to the DMARC Note Well terms 
> (http://www.dmarc.org/note_well.html)


_______________________________________________
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)