From 2c8de18a80a603e4f0ef4d9ed167a74e5d22f040 Mon Sep 17 00:00:00 2001 From: Aaron LI Date: Thu, 22 Mar 2018 16:17:11 +0800 Subject: dns/zones: improve dmarc record --- group_vars/all/vars.yml | 17 ++++++++++++----- roles/dns/templates/zones/aaronly.me.zone.j2 | 9 ++++++++- roles/dns/templates/zones/liwt.net.zone.j2 | 9 ++++++++- 3 files changed, 28 insertions(+), 7 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 5c45138..948bdbf 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -103,15 +103,22 @@ mail: bits: 2048 port: 8901 dmarc: - p: none # policy for the domain - sp: none # policy for subdomains of this domain - aspf: r # alignment mode for SPF (r: relaxed; s: strict) - pct: 100 # percent of messages subjected to filtering - # reporting URI of aggregate reports + p: none # policy for the domain + sp: none # policy for subdomains of this domain + pct: 100 # percent of messages subjected to filtering + adkim: r # alignment mode for DKIM (r: relaxed; s: strict) + aspf: r # alignment mode for SPF (r: relaxed; s: strict) + fo: 1 # Forensic options + # (0: DKIM & SPF fail; 1: DKIM / SPF fail; + # d: DKIM fail; s: SPF fail) + # Aggregate reports URI email (required) # Free DMARC weekly digests by https://dmarc.postmarkapp.com/ rua: liwt.net: re+yis1v8izxn0@dmarc.postmarkapp.com aaronly.me: re+f6lpmirefcg@dmarc.postmarkapp.com + # Forensic reports URI email (optional) + ruf: + liwt.net: abuse@liwt.net # To avoid trashing by GMail google-site-verification: liwt.net: n-dVRtkDeJ8k4BuSphkV-GVso0zJJWO-Z6GYoz6ayOQ diff --git a/roles/dns/templates/zones/aaronly.me.zone.j2 b/roles/dns/templates/zones/aaronly.me.zone.j2 index da4814e..4a25d00 100644 --- a/roles/dns/templates/zones/aaronly.me.zone.j2 +++ b/roles/dns/templates/zones/aaronly.me.zone.j2 @@ -38,7 +38,14 @@ mail IN CNAME mail.{{ network.domain }}. {% endif %} @ IN TXT "v=spf1 mx -all" @ IN TXT "google-site-verification={{ mail['google-site-verification'][domain] }}" -_dmarc IN TXT "v=DMARC1; p={{ mail.dmarc.p }}; sp={{ mail.dmarc.sp }}; pct={{ mail.dmarc.pct }}; aspf={{ mail.dmarc.aspf }}; rua=mailto:{{ mail.dmarc.rua[domain] }};" +{% set ruatxt = "rua=mailto:" + mail.dmarc.rua[domain] + ";" %} +{% set ruf = mail.dmarc.ruf | default({}) %} +{% if ruf[domain] is defined %} +{% set ruftxt = "ruf=mailto:" + ruf[domain] + ";" %} +{% else %} +{% set ruftxt = "" %} +{% endif %} +_dmarc IN TXT "v=DMARC1; p={{ mail.dmarc.p }}; sp={{ mail.dmarc.sp }}; pct={{ mail.dmarc.pct }}; adkim={{ mail.dmarc.adkim }}; aspf={{ mail.dmarc.aspf }}; fo={{ mail.dmarc.fo }}; {{ ruatxt }} {{ ruftxt }}" {% if domain_key is defined %} {{ domain_key | dkim_record(selector=mail.dkim.selector) | join("\n") }} {% endif %} diff --git a/roles/dns/templates/zones/liwt.net.zone.j2 b/roles/dns/templates/zones/liwt.net.zone.j2 index bbd7d14..03459ee 100644 --- a/roles/dns/templates/zones/liwt.net.zone.j2 +++ b/roles/dns/templates/zones/liwt.net.zone.j2 @@ -46,7 +46,14 @@ mail IN AAAA {{ network.ipv6.address }} {% endif %} @ IN TXT "v=spf1 mx -all" @ IN TXT "google-site-verification={{ mail['google-site-verification'][domain] }}" -_dmarc IN TXT "v=DMARC1; p={{ mail.dmarc.p }}; sp={{ mail.dmarc.sp }}; pct={{ mail.dmarc.pct }}; aspf={{ mail.dmarc.aspf }}; rua=mailto:{{ mail.dmarc.rua[domain] }};" +{% set ruatxt = "rua=mailto:" + mail.dmarc.rua[domain] + ";" %} +{% set ruf = mail.dmarc.ruf | default({}) %} +{% if ruf[domain] is defined %} +{% set ruftxt = "ruf=mailto:" + ruf[domain] + ";" %} +{% else %} +{% set ruftxt = "" %} +{% endif %} +_dmarc IN TXT "v=DMARC1; p={{ mail.dmarc.p }}; sp={{ mail.dmarc.sp }}; pct={{ mail.dmarc.pct }}; adkim={{ mail.dmarc.adkim }}; aspf={{ mail.dmarc.aspf }}; fo={{ mail.dmarc.fo }}; {{ ruatxt }} {{ ruftxt }}" {% if domain_key is defined %} {{ domain_key | dkim_record(selector=mail.dkim.selector) | join("\n") }} {% endif %} -- cgit v1.2.2