aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAaron LI <aly@aaronly.me>2018-03-22 16:17:11 +0800
committerAaron LI <aly@aaronly.me>2018-03-22 16:17:11 +0800
commit2c8de18a80a603e4f0ef4d9ed167a74e5d22f040 (patch)
tree9122745f10f544b1a18f7344730dc5d27d91b544
parentbb0fe8567f021c03df938887ac3dffc461026501 (diff)
downloadansible-dfly-vps-2c8de18a80a603e4f0ef4d9ed167a74e5d22f040.tar.bz2
dns/zones: improve dmarc record
-rw-r--r--group_vars/all/vars.yml17
-rw-r--r--roles/dns/templates/zones/aaronly.me.zone.j29
-rw-r--r--roles/dns/templates/zones/liwt.net.zone.j29
3 files changed, 28 insertions, 7 deletions
diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index 5c45138..948bdbf 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -103,15 +103,22 @@ mail:
bits: 2048
port: 8901
dmarc:
- p: none # policy for the domain
- sp: none # policy for subdomains of this domain
- aspf: r # alignment mode for SPF (r: relaxed; s: strict)
- pct: 100 # percent of messages subjected to filtering
- # reporting URI of aggregate reports
+ p: none # policy for the domain
+ sp: none # policy for subdomains of this domain
+ pct: 100 # percent of messages subjected to filtering
+ adkim: r # alignment mode for DKIM (r: relaxed; s: strict)
+ aspf: r # alignment mode for SPF (r: relaxed; s: strict)
+ fo: 1 # Forensic options
+ # (0: DKIM & SPF fail; 1: DKIM / SPF fail;
+ # d: DKIM fail; s: SPF fail)
+ # Aggregate reports URI email (required)
# Free DMARC weekly digests by https://dmarc.postmarkapp.com/
rua:
liwt.net: re+yis1v8izxn0@dmarc.postmarkapp.com
aaronly.me: re+f6lpmirefcg@dmarc.postmarkapp.com
+ # Forensic reports URI email (optional)
+ ruf:
+ liwt.net: abuse@liwt.net
# To avoid trashing by GMail
google-site-verification:
liwt.net: n-dVRtkDeJ8k4BuSphkV-GVso0zJJWO-Z6GYoz6ayOQ
diff --git a/roles/dns/templates/zones/aaronly.me.zone.j2 b/roles/dns/templates/zones/aaronly.me.zone.j2
index da4814e..4a25d00 100644
--- a/roles/dns/templates/zones/aaronly.me.zone.j2
+++ b/roles/dns/templates/zones/aaronly.me.zone.j2
@@ -38,7 +38,14 @@ mail IN CNAME mail.{{ network.domain }}.
{% endif %}
@ IN TXT "v=spf1 mx -all"
@ IN TXT "google-site-verification={{ mail['google-site-verification'][domain] }}"
-_dmarc IN TXT "v=DMARC1; p={{ mail.dmarc.p }}; sp={{ mail.dmarc.sp }}; pct={{ mail.dmarc.pct }}; aspf={{ mail.dmarc.aspf }}; rua=mailto:{{ mail.dmarc.rua[domain] }};"
+{% set ruatxt = "rua=mailto:" + mail.dmarc.rua[domain] + ";" %}
+{% set ruf = mail.dmarc.ruf | default({}) %}
+{% if ruf[domain] is defined %}
+{% set ruftxt = "ruf=mailto:" + ruf[domain] + ";" %}
+{% else %}
+{% set ruftxt = "" %}
+{% endif %}
+_dmarc IN TXT "v=DMARC1; p={{ mail.dmarc.p }}; sp={{ mail.dmarc.sp }}; pct={{ mail.dmarc.pct }}; adkim={{ mail.dmarc.adkim }}; aspf={{ mail.dmarc.aspf }}; fo={{ mail.dmarc.fo }}; {{ ruatxt }} {{ ruftxt }}"
{% if domain_key is defined %}
{{ domain_key | dkim_record(selector=mail.dkim.selector) | join("\n") }}
{% endif %}
diff --git a/roles/dns/templates/zones/liwt.net.zone.j2 b/roles/dns/templates/zones/liwt.net.zone.j2
index bbd7d14..03459ee 100644
--- a/roles/dns/templates/zones/liwt.net.zone.j2
+++ b/roles/dns/templates/zones/liwt.net.zone.j2
@@ -46,7 +46,14 @@ mail IN AAAA {{ network.ipv6.address }}
{% endif %}
@ IN TXT "v=spf1 mx -all"
@ IN TXT "google-site-verification={{ mail['google-site-verification'][domain] }}"
-_dmarc IN TXT "v=DMARC1; p={{ mail.dmarc.p }}; sp={{ mail.dmarc.sp }}; pct={{ mail.dmarc.pct }}; aspf={{ mail.dmarc.aspf }}; rua=mailto:{{ mail.dmarc.rua[domain] }};"
+{% set ruatxt = "rua=mailto:" + mail.dmarc.rua[domain] + ";" %}
+{% set ruf = mail.dmarc.ruf | default({}) %}
+{% if ruf[domain] is defined %}
+{% set ruftxt = "ruf=mailto:" + ruf[domain] + ";" %}
+{% else %}
+{% set ruftxt = "" %}
+{% endif %}
+_dmarc IN TXT "v=DMARC1; p={{ mail.dmarc.p }}; sp={{ mail.dmarc.sp }}; pct={{ mail.dmarc.pct }}; adkim={{ mail.dmarc.adkim }}; aspf={{ mail.dmarc.aspf }}; fo={{ mail.dmarc.fo }}; {{ ruatxt }} {{ ruftxt }}"
{% if domain_key is defined %}
{{ domain_key | dkim_record(selector=mail.dkim.selector) | join("\n") }}
{% endif %}