DMARC with Postfix on Debian stretch

This installation guide is an addition to the DKIM and Postfix article. It describes how to get incoming messages checked for DKIM.

opendmarc configuration

Install the opendmarc package, which contains the milter for Postfix. Edit the /etc/opendmarc.conf file and add the following configuration (I disabled failure reports on my host):

FailureReports false
IgnoreHosts /etc/opendmarc/hosts.ignore

The IgnoreHosts is useful to specify exceptions to messages. My /etc/opendmarc/hosts.ignore file contains the following addresses, so outgoing messages are not tagged:

127.0.0.0/8
::1/128
localhost

On Debian stretch the socket is specified directly in the systemd service file. Change the the socket location in the ExecStart line in the opendmarc.service file to /var/run/opendmarc/opendmarc.pid.

This can be done using by creating an systemd override file using the edit option of the systemctl command:

systemctl edit opendmarc.service

This will create an empty file /etc/systemd/system/opendmarc.service.d/override.conf and open it in an editor. Insert the following lines and save the file.

[unit]
# with an override you must "clear" the ExecStart first.
ExecStart=
ExecStart=/usr/sbin/opendmarc -p local:/var/spool/postfix/opendmarc/opendmarc.sock -u opendmarc -P /var/run/opendmarc/opendmarc.pid

Alternatively, use the systemctl edit --full opendmarc.service to create a copy of the opendmarc.service file and edit it in line. Change the ExecStart line as in the example above.

Postfix configuration

If you are already using milters (like a DKIM one) then all that is left to do is to add the opendmarc socket to the milter list:

smtpd_milters = unix:/spamass/spamass.sock, unix:/opendkim/opendkim.sock, unix:/opendmarc/opendmarc.sock
non_smtpd_milters = unix:/spamass/spamass.sock, unix:/opendkim/opendkim.sock, unix:/opendmarc/opendmarc.sock

Restart the opendmarc and postfix services and you should start seeing tags like these in the header section of incoming mails:

Authentication-Results: mx.example.com; dmarc=pass (p=none dis=none) header.from=gmail.com

Updates

27 December 2017

Updated the way how to edit systemd files. Thanks to Louis P.H. van Belle.