DMARC DNS records for outgoing mail settings.
whiskerpickles last edited by girish
Currently in Cloudron, DMARC DNS records are generated when inocming e-mail is activated.
What's missing is that DMARC policies are set by the domain owner (e-mail sender) and should be generated alongside DKIM and SPF. E-mail recipients only choose to acknowledge and honour the policy set by the domain owner. If it's not a terrible amount of work, please consider correcting the method of TXT record generation for DMARC. This will protect users that choose "outgoing only" as e-mail option for apps.
@whiskerpickles since I am not very familiar with E-Mail setup at all and I am glad cloudron does all the work for me so could you elaborate why this is a good thing and what will be the consequences for noobs like myself?
@brutalbirdie Absolutely... and goood choice with Cloudron! And I'll do my best to keep it light.
DMARC is sort of a mashup policy that enforces DKIM and SPF records. Don't run away yet...!
DKIM is a method where each e-mail you send is signed with a private key. When a recipient's server receives your message, it compares that key against a public key that you publish via a DNS record (that way it's available to the entire web). It's one way of verifying that an e-mail actually came from you.
SPF is another policy published via DNS records that tells receiving servers which sender domains and IP addresses they should consider valid senders. It prevents bad actors from spoofing your domain by saying only accept mail from my Cloudron instanse which is on my.brutalbirdie.com.
With DMARC, you publish another DNS record that lets receiving servers know you are serious about your e-mail identity. If an e-mail sent by your domain doesn't match a DKIM or SPF record, then you can instruct them to reject or send that message to SPAM folders.
In all, DMARC is another method of building trust for e-mails that are sent. Last year, the FBI reported losses in the billions from impersonated e-mail. By properly adding DMARC to outgoing DNS settings, you'll better protect your recipients and your brand.
Let me know if I missed the mark anywhere for you.
@brutalbirdie Don't fret, big guy. If you're using Cloudron to manage your incoming e-mail then you are covered. DMARC is implemented in Cloudron... it's just in the wrong place. So if you're an inbound or inbound AND outbound user then you are safe. Outbound only users should create a DMARC policy manually to take advantage of this feature until it's resolved.
@whiskerpickles It's this way because we didn't want to trample of the user's existing DMARC record (or add a new record just like that) given that outgoing email is the default for all domains that are added. The user is of course free to add their own DMARC record directly in the DNS, it's just not automated when using outbound only.
When a user chooses "incoming email" as well, we simply set everything up, since it seems like they chose Cloudron to manage all their email. So, we have a bit more "freedom" in creating new records. In fact, if there is an existing DMARC record and you enable incoming email, we don't change it.
Is your idea that Cloudron should add a DMARC record when a domain is added (this is even at installation time)?
@girish Your logic really opens this up and I get it. You guys know your users and if "outbound-only" folks are managing their own DNS, then it definitely would't make sense. I was just concerned for the less experienced.
I'd say we could close out this thread.
Hillside502 last edited by
I have an "Outbound only" (from the outset) domain at Gandi, with a DMARC record created by the Cloudron:-
_dmarc TXT 300 "v=DMARC1; p=reject; pct=100"
So, looks like DMARC records are already created for both 2-way and outbound only domains.
Confusion may arise because https://my.domain.tld/#/email shows the existence of a DMARC record for 2-way domains only.
Whoops, indeed, I stand corrected. What @Hillside502 noticed is correct. It seems we setup DMARC policy for outbound mail as well (but only if there is no existing record). For some reason, I thought this wasn't the case.