'ARC' for Postfix / Virtualmin

General Discussion
43

Hi all, sorry-- Real Life has been a bit 'whelming for a while.

If I may, I’d like to chime in with a few simple insights – hopefully helpful – into DMARC, ARC, etc.

How is ARC helpful?

The primary purpose from where I sit is NOT getting the receiving server to trust forwarded emails. Not quite.

  • Primarily it allows my server to forward directly to Google etc, and (correctly) say “I am certifying this email did NOT originate with me. Here are the headers as I received them.”
  • Result: my server is not blamed if spam gets forwarded to Google.
  • This really doesn’t require that Google trusts my server very much.

Note that the above is NOT me certifying the email is good, at all!

Note too: it still helps a lot if I’m able to discard most spam. Even with ARC implemented, Google tends to get upset if too much spam is forwarded to gmail accounts :wink:

How is DMARC helpful?

DMARC empowers savvy email servers to reject massive amounts of spam.

Here’s the setup for a real world example.

I (accidentally) created one of the oldest domain names in the world (octopus.com) – sold that one, but still own a verry old domain with interesting properties:

  • ds.org is only used by us for infrastructure.
  • That domain is never the named source or recipient of valid email. (ie never from/to who@ds.org etc.) Yes, required exceptions ok, eg postmaster and root.
  • Our servers typically are in that domain. aster.ds.org is our (Virtualmin) email server.

A brief history:

  • For decades, our emails blissfully were sent and received. No visible issues.
  • Spam became a Thing. We implemented spf, then dkim. Incoming spam reduced.
  • Then our email server began to be blocked, marked by some major providers as a spam source??!!?? Impossible, I thought! We hardly send any email at all! And we never send any email as ds.org! Our email server, aster.ds.org was being blamed anyway.
  • So, we implemented DMARC, including basic reporting. (At the time, dmarcian.com was free for small users. I’d love to have basic DMARC reporting inside Virtualmin at some point. AFAIK there are some pretty good open source solutions. I just don’t have time to investigate right now.)

Suddenly, everything became clear:

  • Due to DMARC reporting, a variety of email servers around the world started giving us data on emails they were rejecting, attributed to our ds.org domain.
  • Turns out, spammers in eastern Europe and Asia (mostly mainland China) were sending 1-2000 spams a day faking our domain name. Or subdomains: somebody@subdomain.ds.org
  • With DMARC instructions in place (“please reject and report all such emails”), our domain name again became ‘clean.’ Whew!
  • Importantly, unlike SPF, DMARC allows control over ALL subdomains, without specifying any particular subdomain. That’s crucial, since of course it’s impossible to define all possible subdomains.

BTW, thanks for the pointer to the FastMail implementation. I’m running OpenARC, which is not exactly robust.

2 Likes