From Halon, SMTP software for hosting providers
Revision as of 12:14, 11 December 2018 by Fredrik (talk | contribs) (Conditional signing)
Jump to: navigation, search

The Halon platform features DMARC (Domain-based Message Authentication, Reporting and Conformance); the first widely deployed technology that can make the "From" header (what users see as the sender address in their e-mail clients) trustworthy.


Building upon our DKIM library, we were one of the first e-mail gateway products to incorporate DMARC validation. All users should consider adding the "Verify sender" block to their inbound DATA flow. That's really that simple, and it will block messages with From header addresses that fakes DMARC-protected domains such as "" and "". DMARC is already widely deployed by domains that are being abused by scammers, and more companies join in every day.

Sending reports

If you do DMARC validation, you're encouraged to contribute by sending aggregated DMARC reports to whom are interested in receiving them. We recommend using OpenDMARC's reporting tools, which can be integrated with your Halon e-mail security system using our import script. On your Halon system; enable syslog to a remote server, install OpenDMARC and our tool on that server, and schedule them to run daily using for example a logrotate script such as

/var/log/halon.log {
               reload rsyslog >/dev/null 2>&1
               opendmarc-halonlog < /var/log/halon.log.1 | opendmarc-import

Signing and receiving reports

DMARC is based on DKIM and SPF, in order to reuse as much existing infrastructure and configuration as possible. If you feel that your domain could be used by scammers, the process of start using DMARC signing is

  1. Enable SPF, which could be as simple as the TXT record v=spf1 +mx -all (but don't take my word for it)
    1. Because bounces typically don't have DKIM signatures or a envelope from address, consider adding SPF to your mail server's HELO name as well
  2. Enable DKIM signing for outbound messages
  3. Enable DMARC testing; a TXT record named _dmarc such as v=DMARC1; p=none; rua=mailto:[email protected] which allows you to see how many DMARC rejects you produce
  4. If you're satisfied with the reports of your testing DMARC, change p=none to p=reject

There are third-party tools that analyses the XML reports you receive, such as

Conditional signing

If you do conditional signing and want to ensure that messages are signed with the correct DKIM domain, it can be done based on the From header, rather than the envelope sender ($senderdomain). This also allows bounces (with empty envelope sender) to be signed.

$fromDomain explode("@"GetAddressList(GetHeader("From"))[0])[1];
if (
DKIMSign($selector$fromDomain, ...); 

Please note that both headers and envelope from ($senderdomain) can be spoofed by the sender. In a hosted environment you probably want to enforce the DKIM key signing based on a trusted variable such as $saslusername. The example below illustrates how a system that uses external API calls to fetch DKIM keys from a database uses the SASL username as a parameter.

$fromDomain explode("@"GetAddressList(GetHeader("From"))[0])[1];
$dkim api_call("?type=dkim&user=$1&domain=$2", [$saslusername$senderdomain]);
if (
DKIMSign($dkim["selector"], $dkim["domain"], $dkim["rsakey"]);