dmarc without dkim

Discussion in 'General' started by nhybgtvfr, Oct 22, 2020.

  1. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    is ispconfig being too strict about DMARC configuration?
    i have a client who is using office365/exchange for their email, they're using as mx servers, to receive and spam filter incoming mail in front of office365. they also have an aws setup, and are sending out mail from the same domain through amazon SES.
    i have office 365 and amazon SES correctly configured in their SPF record.

    they have someone they send mail to complaining that the mail sent to them through amazon SES is getting caught by their spam filtering, and pointing the finger at the lack of DKIM and DMARC records.
    my client is not yet ready/sure how to enable dkim in SES or office365, but want dmarc setup using just SPF. so their is currently no dkim selector, no DKIM private key has been generated, their is no public key, and no DKIM dns record.
    which according to everything i can find online, should be perfectly fine. maybe not as effective, but certainly should be do-able.
    however i can't configure it in ispconfig.
    i'm setting the receiver policy as none, valid email addresses for aggregate data and forensic data reporting, selecting only 'generate report if spf failed' for forensic reporting options, and DKIM and SPF identifier alignments are both set to relaxed.
    but whenever i try to save these DMARC settings, the only response i get from ispconfig is 'no active DKIM record'.
    i should be able to create a dmarc record even without a dkim record.
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I agree that it should be possible to create a DMARC record even when there is no DKIM record. Please create a issue at (Project ISPConfig 3), so we can label it as feature request.
  3. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    ok. will do.
    is there any way to force it? maybe add the record directly to the database and resync? or will that still cause problems with any validation checks?

    i know i could add it directly to the zone file and rndc reload. not sure if ispconfig ever checks for a mismatch between the serial numbers in the database and the zone file, i don't want to cause any errors.
    i know this way, any change in the zone in the control panel (or a resync) will wipe out the dmarc record in the file, but the records on this domain don't change often, so as long as everyone knows and remembers..... :eek:
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You can add a TXT record through the interface with hostname
    and data
    v=DMARC1; p=none
    (or different data ofcourse)

    When clicking the DMARC button, all that happens is open a visual editor for this TXT record. Same for SPF btw.
  5. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    really? dmarc requieres SPF and DKIM.
  6. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  7. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    brilliant. thanks, got it all done and tested with mxtoolbox, looks good.
    for the record, for anyone else that runs into the same problem, the data for policy none, report only on spf fails is:
    v=DMARC1; p=none; rua=mailto:<[email protected]>; ruf=mailto:<[email protected]>; fo=s
    replacing <[email protected]> with whatever mailbox you want the reports sent to rua: aggregate reports, ruf: forensic reports

    now just a case of waiting for them to work out how to add their own dkim selector/keys to office365/amazonSES, and then waiting a little bit longer for them to actually do it all wrong.... :rolleyes::p
    Jesse Norell likes this.

Share This Page