What is a DMARC record and how do I create it on DNS server?

Command to verify the DNS record : dig _dmarc.saic.it any


Email Security: What is DMARC record and how to create it on DNS server.


Before creating DMARC records it’s a good idea to test DKIM and SPF. Testing can be found here: https://dmarcguide.globalcyberalliance.org/#/


Creating a DMARC record

Create the record
DMARC is designed to give receivers of email better judgment control  based on sending domain reputations.  It provides a platform where the sending side can publish policies to improve effectiveness against spam and phishing, in effect building domain reputations. This helps to provide guidelines on how to address messages that do not align according to those policies published by the sending domains.
DMARC was aimed at:
Reducing false negatives
Provide authentication reporting
Apply sender policies at the receiving end
Reduce phishing
Be scalable
In order to get started with DMARC, the sending domain needs to have an SPF and DKIM record published. Once the SPF and DKIM records are in place, you can configure DMARC by adding policies to your domain’s TXT records (the same way in which you published your SPF and DKIM records).  Your TXT record name should read something similar to “_dmarc.your_domain.com.”  Please replace the “your_domain.com” with your own domain.
As DMARC policies are published as TXT records, it defines what an email receiver should do with non-aligned mail it receives.

A DMARC record’s name when creating a TXT record is “_dmarc” which forms a TXT record such as _dmarc.mydomain.com or _dmarc.mydomain.net etc

An external guide/wizard on creating DMARC records: https://dmarcguide.globalcyberalliance.org/#/dmarc/

“v=DMARC1;p=reject;pct=100;rua=mailto:[email protected]”  
 In this scenario, the sender defines the policy as such that the receiver outright rejects all non-aligned messages and sends a report about the rejections to a specific email address. If the sender were to use the “quarantine” setting in the policy, it would look like:
“v=DMARC1;p=quarantine;pct=100;rua=mailto:[email protected]” 

and would request the action to quarantine on the receiving end of the message. In the next example, if a message claims to be from your domain.com and fails DMARC, no action is taken. Instead, these messages will then show up in your daily aggregate report sent to
 “v=DMARC1; p=none; rua=mailto:[email protected]_domain.com” 

Here is a sample where the message fails DMARC, then quarantines it 5% of the time.
 “v=DMARC1; p=quarantine; pct=5; rua=mailto:[email protected]_domain.com” 

In this sample, the policy is set to reject the message 100% of the time and send the daily report to the specified address of [email protected]_domain.com.
“v=DMARC1; p=reject; rua=mailto:[email protected]_domain.com, mailto:[email protected]_domain.com”
 DMARC records follow the extensible “tag-value” syntax for DNS-based key records defined in DKIM. The following chart illustrates some of the available tags:
Common tags used in DMARC TXT records:

TagName   RequiredPurposeSample
v             requiredProtocol Versionv=DMARC1
prequiredProtocol for Domainp=quarantine
pctoptional% of message subjected to filteringpct=20
ruaoptionalReporting UTIof aggregate reportrua=mailto:[email protected]
spoptionalPolicy for subdomains of the domainsp=r
aspfoptionalAlignment mode for spfaspf=r 

Only the v (version) and p (policy) tags are required. Three possible policy settings are available:

  • none – Take no action. Only log the affected messages in the daily report.
  • quarantine – Mark affected messages as spam.
  • reject – Cancel the message at the SMTP layer.  

Alignment mode refers to the analysis which sender records are compared to SPF and DKIM signatures. There are two possible values being presented, relaxed “r” or strict “s”. Relaxed allows for partial matches such as subdomains while strict requires an exact match.
Be sure to include an email address with the optional rua tag to have the daily reports sent to that address.
Example report
The daily reports are sent in XML format. They provide feedback informing you of the sending source IP addresses that have been sending out on your domain’s behalf.  This helps in determining which sources are valid or not. As a result, this assists in more effective deployment of your SPF and DKIM records.
Here is an example of a daily aggregate report. The judgement result is shown along with the source IP addresses and the action taken.
Here is an example of how to specify the optional size limit argument and set it to 10 MB.
“v=DMARC1; p=none; rua=mailto:[email protected]_domain.com!10m”
Deploy slowly 
As the DMARC specification takes into consideration that scaling out the deployment may be challenging for some organizations to do at once, there are a number of built-in methods for “throttling” the DMARC processing so full deployment can be done in increments over time.

  • First thing to do is monitor your traffic and reports. Assess where your vulnerabilities are (where messages are being delivered without being digitally signed or are coming from invalid source IP addresses) and address them through SPF and DKIM records.
  • As you monitor your daily aggregate reports and get to a place where you are comfortable with the results, you can change the action on your policies to start to quarantine. You do this by changing your TXT record using DMARC to use the “quarantine” action. Continue to monitor your daily reports
  • Once you have been monitoring your traffic and daily reports for some time and feel comfortable with the sources seen sending traffic on behalf of your domain and they are all being digitally signed, you can move forward with the next step in changing the policy to use the “reject” tag to fully deploy DMARC in its entirety. Monitoring your reports and your spamfeed is an essential part of maintenance for DMARC accuracy.

Also worth noting, the optional pct tag can be used to sample your DMARC deployment in increments as well. Since 100% is the default, passing “pct=20” in your DMARC TXT record results in one-fifth of all messages affected by the policy actually receiving the disposition instead of all of them. This setting is especially useful once you elect to quarantine and reject mail. Start with a lower percent to begin with and increase it every few days.
So a conservative deployment cycle would resemble:

  1. Monitor all.
  2. Quarantine 1%.
  3. Quarantine 5%.
  4. Quarantine 10%.
  5. Quarantine 25%.
  6. Quarantine 50%.
  7. Quarantine all.
  8. Reject 1%.
  9. Reject 5%.
  10. Reject 10%.
  11. Reject 25%.
  12. Reject 50%.
  13. Reject all.

When you are ready to complete the DMARC deployment, remove the percentages from your policies so that the full action of “quarantine” and “reject” is now functioning at 100%. As always, monitor your daily reports.
Recap DMARC deployment.

  1. Deploy SPF and DKIM records for your domain.
  2. Confirm that all sending MTA’s on behalf of the specified domain are aligning the appropriate identifiers appropriately.
  3. Publish DMARC record using the “monitor” flag and specify rua value to receive daily aggregate reports.
  4. Assess vulnerabilities from the daily reports and adjust SPF and DKIM accordingly. Make changes to your mailstreams as needed.
  5. Change DMARC policy flags to “quarantine” and then eventually to “reject” as you see fit.

For further reference, you can go to:

How to check email in sql query

and c.email_address NOT REGEXP ‘[-a-z0-9~!$%^&=+}{\\’?]+(\.[-a-z0-9~!$%^&=+}{\\’?]+)@([a-z0-9_][-a-z0-9_](\.[-a-z0-9_]+)*\.(aero|arpa|biz|com|coop|edu|gov|info|int|mil|museum|name|net|org|pro|travel|mobi|[a-z][a-z])|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}))(:[0-9]{1,5})?’

Installing and configuring an SSL certificate on Postfix/Dovecot mail server

From here ….thanks…

This guide describes the ways to enable the SSL/TLS encryption using a trusted SSL certificate for receiving secured incoming and outgoing connections on a Postfix-Dovecot server.

For testing purposes, a Comodo PositiveSSL certificate has been used; however, to secure your mail server, you can purchase any certificate with us as they meet your needs.

The testing was done on the following server stack:

  • Ubuntu 16.04
  • Postfix 3.1.0
  • Dovecot 2.2.22

If you do not have any issued (trusted) certificate yet for the hostname of your mail server, it is necessary to purchase it, generate a CSR needed for activation and once done, activate  it.

If you have your certificate issued, you are able to download it from the SSLs.com user account or from the email (fulfillment email) received  from the Certificate Authority to the administrative contact email address you have chosen during the activation process.

The first thing you need to do is to upload and concatenate the certificate files on the server. You can follow the actions below:

1. Upload the certificate file yourdomainname.crt to the server along with the CA bundle. Keep in mind that the CA bundle can be either in a single file (example.ca-bundle) or in separate files (COMODORSADomainValidationSecureServerCA.crt, COMODORSAAddTrustCA.crt, AddTrustExternalCARoot.crt as in our case). The following files should be saved in the following way: the certificate and CA bundle files in the /etc/ssl/certs/ directory; the corresponding private key (example_com.key) in the /etc/ssl/private/ folder.

2.Combine the uploaded files into one using one of the commands below:

2.1. Create a file with the server certificate and CA chain:

  • cat /etc/ssl/certs/yourdomainname.crt /etc/ssl/certs/yourdomainname.ca-bundle >> /etc/ssl/certs/certificate.crt
  • cat /etc/ssl/certs/yourdomainname.crt /etc/ssl/certs/COMODORSADomainValidationSecureServerCA.crt /etc/ssl/certs/COMODORSAAddTrustCA.crt /etc/ssl/certs/AddTrustExternalCARoot.crt >> /etc/ssl/certs/certificate.crt

2.2. One file with the combined certificate, CA chain and Private Key can be acceptable for Postfix and  Dovecot. One of the commands below can be used to create it:

  • cat /etc/ssl/certs/yourdomainname.crt /etc/ssl/certs/yourdomainname.ca-bundle /etc/ssl/private/yourdomainname.key >> /etc/ssl/certs/certificate_and_key.crt
  • cat /etc/ssl/certs/yourdomainname.crt /etc/ssl/certs/COMODORSADomainValidationSecureServerCA.crt /etc/ssl/certs/COMODORSAAddTrustCA.crt /etc/ssl/certs/AddTrustExternalCARoot.crt /etc/ssl/private/yourdomainname.key >> /etc/ssl/certs/certificate_and_key.crt

In order to check the content of the new file in question, run the following command: cat /etc/ssl/certs/certificate.crt or cat /etc/ssl/certs/certificate_and_key.crt.

It is necessary to check whether there are no excessive white spaces between or inside the PEM-encoded certificate and key blocks in the output.

If you notice such spaces, they can be edited manually – open the file in a text editor like “vi” or “nano” and remove the odd elements.

The editing of Postfix and Dovecot configuration files to enable SSL/TLS on specific ports

The process of sending and receiving mail over the Internet is a complex system of endpoint and intermediary instances (mail server and client software) labeled as mail user agents (MUA), mail submission agents (MSA), mail transfer agents (MTA) and mail delivery agents (MDA) depending on the functions they perform. Normally, an email is passed over each type of the above-mentioned parties, and different transport protocols are used on every step, namely submission protocol, Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP3) and Internet Message Access Protocol (IMAP).

The below chart shows the use of ports for specific transport protocol execution.

ProtocolUsagePlain text / encrypted sessionEncrypted session only
POP3Incoming mail110995
IMAPIncoming mail143993
SMTPOutgoing mail25465
SubmissionOutgoing mail587

The Opportunistic TLS approach gives the possibility to use ports 25, 110, 143 and 587 either in the plain text (unencrypted) or secure (encrypted) mode. According to this approach, the STARTTLS command is requested when an existing active plain text session happens.

Technically, using ports 465, 993 and 995 and the way HTTP protocol is used over SSL/TLS are similar: 1) secure ports are detached from their “unsecured” counterparts; 2) any data exchange can be performed after establishing an encrypted session.

NOTE: Although port 465 is not listed as the SMTPS port in the official standards of IANA’s documentation, it is used to serve encrypted outgoing mail traffic by mail server administrators.

Both techniques described above are considered to be used in the Internet mail system nowadays. In order to secure your mail, it is better to install an SSL certificate on every mail port you are planning to use.

The steps below will help you to install your SSL certificate for both mail ports: incoming and outgoing ones:

Port 25 (SMTP with STARTTLS)

  1. Open to edit the file named main.cf (Postfix configuration file). You can usually find it in the /etc/postfix/ directory.
  2. Locate the TLS parameters section in the main.cf file and make the changes in the following values of certain directives. See the example below:
  • if  you save the certificate and private key in separate files:



  • if  you save the certificate and private key in a single file:



NB: It is necessary to make sure that smtpd_use_tls directive is set to yes:


Once done, close the main.cf file and save the changes you made.


Ports 587 (Submission with STARTTLS) and 465 (SMTPS)

  1. Locate the Postfix’s master.cf file in the /etc/postfix/ directory and open it;
  2. When it is opened, uncomment (or edit if needed) the next lines:
  • to open and protect port 587:

submission inet n       –       y       –       –       smtpd

-o syslog_name=postfix/submission

-o smtpd_tls_security_level=may

-o smtpd_sasl_auth_enable=yes

  • to open and protect port 465:

smtps     inet  n       –       y       –       –       smtpd

-o syslog_name=postfix/smtps

-o smtpd_tls_wrappermode=yes

-o smtpd_sasl_auth_enable=yes

Now you can close this file.


Ports 110 (POP3 with STARTTLS), 143 (IMAP with STARTTLS), 993 (IMAPS) and 995 (POP3S)

If you need to install an SSL certificate for Dovecot, it is essential to follow the next steps:

  • Open the file named 10-ssl.conf. This file can be usually located in the /etc/dovecot/conf.d/ directory.
  • Edit the following lines:


  • if  you save the certificate and private key in separate files:

ssl_cert = </etc/ssl/certs/certificate.crt

ssl_key = </etc/ssl/private/yourdomainname.key

  • if  you save the certificate and private key in a single file:

ssl_cert = </etc/ssl/certs/cert_and_key.crt

ssl_key = </etc/ssl/certs/cert_and_key.crt

Make sure that thessl directive is set to yes:

ssl = yes

When the changes are made, close the 10-ssl.conf file.


If the steps mentioned above are made, the SSL certificate is installed for all incoming ports now.


Please note that if you have the Dovecot version 1.x, the directives for SSL certificates in configuration files may slightly differ:

  • it is necessary to check whether /etc/dovecot/dovecot.conf has the following line:

protocols = imap pop3 imaps pop3s

  • edit the /etc/dovecot/conf.d/10-ssl.conf file in the following way:

ssl_disable = no


– if  you save the certificate and private key in separate files:

ssl_cert_file = </etc/ssl/certs/certificate.crt

ssl_key_file = </etc/ssl/private/yourdomainname.key


– if  you save the certificate and private key in a single file:

ssl_cert_file = </etc/ssl/certs/cert_and_key.crt

ssl_key_file = </etc/ssl/certs/cert_and_key.crt


Useful tips:

Below you can find the information regarding some additional settings which can be useful in setting up your mail server’s SSL/TLS handling. For further information, you can refer to Postfix andDovecot official documentation regarding this matter as well.

It is possible to use the STARTTLS port on Postfix in the “wrapper” mode with the smtpd_tls_wrappermode directive. Instead of showing the STARTTLS support and waiting for the request from a remote client, this option helps to run  a secure connection from the very beginning. The following directive should be added to /etc/postfix/master.cf , for instance:

smtps inet n     –     n     –     –     smtpd

-o smtpd_tls_wrappermode=yes

On Dovecot, when you try to log in, there is an opportunity to set the ssl directive to required value (ssl=required), which implies forcing the SSL handshake.

In such cases, the password will be sent in a secure way, meanwhile with ssl = yes, email clients are not requested to use SSL/TLS in precedence. Both plaintext and non-plaintext authentication mechanisms can be applied with this setting.

In order to switch off the plaintext authentication mechanism, it is possible to use disable_plaintext_auth directive (/etc/dovecot/conf.d/10-auth.conf):


The following directives on Dovecot (/etc/dovecot/dovecot.conf) can be used for eliminating the ciphers which are better not to be used due to low encryption strength:

ssl_dh_parameters_length = 2048

ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

To exclude certain ciphers or protocols for opportunistic (STARTTLS) or mandatory (regular SSL) encryption, it is possible to use the following directives in /etc/postfix/main.cf and assign the corresponding values to them:

– for mandatory TLS

smtpd_tls_mandatory_exclude_ciphers = [cipher] smtpd_tls_mandatory_protocols = ![protocol]

– for opportunistic TLS

smtpd_tls_exclude_ciphers = [cipher]

smtpd_tls_protocols = ![protocol]


To set the server side cipher list more preferable over the client-side one, these directives can be used:

– on Dovecot (/etc/dovecot/conf.d/10-ssl.conf)

ssl_prefer_server_ciphers = yes

– on Postfix (/etc/postfix/main.cf)

tls_preempt_cipherlist = yes


How to check SSL installation



The OpenSSL toolkit helps to check the SSL certificate installation on a server both remotely and locally.

In order to check STARTTLS ports, the following command should be run. Replace [port] with the port number and [protocol] with smtp, pop3 or imap value:

openssl s_client -connect example.com:[port] -servername example.com -starttls [protocol]

In order to check non-STARTTLS ports, use the following command:

openssl s_client -connect example.com:[port] -servername example.com



How to check your secure connection


In order to check your mail server connectivity over SSL/TLS, the online checkers listed below can be used.

You need to specify the server hostname and port number or an existing email account and run the test.


How to update Roundcube

I followed this link

I created a backup database copy and I untar the files from roundcube.net.I created a parallel virtualhost like webmailtest.yourdomain.it.

Upload the new files

Use your favorite FTP/SFTP/SCP program to upload the updated files, which are:

  • ./bin/*
  • ./SQL/*
  • ./program/*
  • ./installer/*
  • ./vendor/*

Upload plugins/* and skins/* from the release package but don’t replace the entire skinsand plugins folders! You might have added other skins and plugins to those directories which you want to keep.

Also copy the default config file and the mimetypes mapping:

  • config/defaults.inc.php
  • config/mimetypes.php

Run the installer

Edit your Roundcube config (config/config.inc.php, or config/main.inc.php for versions < 1.0) and set 'enable_installer' to true. Then open http://<url-to-roundcube>/installer/in your web browser and click “3. Test config”

Follow the instructions on the screen to update your local config and the database schema.

When you’re done and all the lights are green in the installer, edit your Roundcube config file again and set 'enable_installer' to false if it’s still present. To seal your installation, you should even remove the installer directory from the webserver.