[Mdaemon-L] Undelive DMARC

Wed, 19 May 2021 02:48:24 -0700 

On 19/05/21 15.15, Rievo Niemrod E via Mdaemon-L wrote:

Dear Pak Syafril, mohon pencerahannya terkait log error di bawah ini




[27535395] --> MAIL From:<[email protected]> SIZE=175052
[27535395] <-- 550-5.7.26 Unauthenticated email from ptbmi.com is not accepted 
due to domain's
[27535395] <-- 550-5.7.26 DMARC policy. Please contact the administrator of 
ptbmi.com domain
[27535395] <-- 550-5.7.26 if this was a legitimate mail. Please visit
[27535395] <-- 550-5.7.26  https://support.google.com/mail/answer/2451690 to 
learn about the
[27535395] <-- 550 5.7.26 DMARC initiative. j13si25350188pgq.300 - gsmtp




Log ini undeliv mail ini muncul setelah saya mengaktifkan DMARC kemarin

Apakah ada setingan yang salah ya Pak ?




Subdomain mdn.ptbmi.com tidak punya SPF record sehingga ditolak (does 
not have authenticate domain policy).


https://support.google.com/a/answer/10032169?hl=en&ref_topic=2759254


SPF alignment example

With SPF, alignment compares the domain authenticated by SPF (usually
the envelope sender address) to the domain in the message header
From: address. Here are some alignment examples with their SPF check
results.



Lihat cara pengaktifan SPF subdomain mdn.ptbmi.com disini

https://www.mail-archive.com/[email protected]/msg46876.html


kalau punya subdomain yang tidak ingin/perlu mengaktifkan DMARC juga, 
maka di DMARC root domain (ptbmi.com) harus di declare sp=none, karena 
tanpa sp tag subdomain akan mengikuti DMARC policy dari root domain 
(inherit policy).




_dmarc.ptbmi.com.	TXT	"v=DMARC1; p=reject; aspf=s; sp=none; 
rua=mailto:[email protected]";


https://dmarcly.com/blog/how-dmarc-works-with-subdomains-dmarc-sp-tag


Scenario: subdomain inherits organizational domain's p policy
For example, if there is a DMARC record published on example.com, as shown 
below:

example.com     "v=DMARC1; p=reject;"



Now that example.com's policy is reject, any example.com's subdomain
without a DMARC record will have a reject policy.




Scenario: subdomain inherits organizational domain's sp policy

If the organizational domain has a DMARC record with a policy (p tag) and a 
subdomain policy (sp tag), while the subdomain doesn't have a DMARC record, the 
subdomain inherits the organizational domain's subdomain policy.

For example, if there is a DMARC record published on example.com, as shown 
below:

example.com     "v=DMARC1; p=reject; sp=quarantine;"




Scenario: subdomain overrides organizational domain's policy
If the organizational domain has a DMARC record with a policy (p tag) and a 
subdomain policy (sp tag), while the subdomain has its own policy (p tag), the 
subdomain overrides the organizational domain's subdomain policy with its own 
policy.
For example, if there is a DMARC record published on example.com, as shown 
below:

example.com     "v=DMARC1; p=reject; sp=reject;"

and a DMARC record published on sales.example.com:

sales.example.com     "v=DMARC1; p=quarantine;"

In this scenario, sales.example.com's own policy overrides example.com's 
policy. Therefore, p=quarantine is applied to sales.example.com.




Scenario: subdomain policy published on subdomain
When an sp tag is used in a DMARC record published on a subdomain, the sp tag 
will be ignored due to the effect of the DMARC policy discovery process.

For example, if you have a DMARC record on a subdomain:

sales.example.com     "v=DMARC1; p=reject; sp=quarantine;"

the sp tag has no effect on sales.example.com or any subdomains under 
sales.example.com such as it.sales.example.com.




Best practices for DMARC with subdomains



After you reach p=reject on your organizational domain, you should
also protect your subdomains with p=reject. This is because even if your
subdomains' DMARC policy is p=none or p=quarantine, adversaries can
still send emails on behalf of your subdomains.




This can be easily achieved by setting your organizational domain's
policy to p=reject, and don't override it on any subdomains. This
way, all the subdomains under your organizational domain will have
p=reject, and no one without explicit authorization can send emails
on behalf of your organization!










--
syafril
--------
Syafril Hermansyah

MDaemon-L Moderator, run MDaemon 21.0.2 64bit
Mohon tidak kirim private mail (atau cc:) untuk masalah MDaemon.


Sulitnya pengambilan keputusan di negeri ini didorong oleh perasaan 
waswas, rasa takut, serta kepicikan orang-orang yang tak berani 
bertanggung memikul tanggung jawab.

        -- I Putu Gede Ary Suta & Subowo Musa



--
--[mdaemon-l]----------------------------------------------------------
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.co.id
Berlangganan: Kirim mail ke [email protected]
Henti Langgan: Kirim mail ke [email protected]
Versi terakhir: MDaemon 21.0.2, SecurityGateway 8.0.1

























					Kirim email ke