1opendmarc.conf(5) File Formats Manual opendmarc.conf(5)
2
3
4
6 opendmarc.conf - Configuration file for opendmarc
7
8
10 /etc/opendmarc.conf
11
12
14 opendmarc(8) implements the proposed DMARC specification for message
15 authentication, policy enforcement, and reporting. This file is its
16 configuration file.
17
18 Blank lines are ignored. Lines containing a hash ("#") character are
19 truncated at the hash character to allow for comments in the file.
20
21 Other content should be the name of a parameter, followed by white
22 space, followed by the value of that parameter, each on a separate
23 line.
24
25 For parameters that are Boolean in nature, only the first byte of the
26 value is processed. For positive values, the following are accepted:
27 "T", "t", "Y", "y", "1". For negative values, the following are ac‐
28 cepted: "F", "f", "N", "n", "0".
29
30 Some, but not all, of these parameters are also available as command
31 line options to opendmarc(8). However, new parameters are generally
32 not added as command line options so the complete set of options is
33 available here, and thus use of the configuration file is encouraged.
34 In some future release, the set of available command line options is
35 likely to get trimmed.
36
37 See the opendmarc(8) man page for details about how and when the con‐
38 figuration file contents are reloaded.
39
40 Unless otherwise stated, Boolean values default to "false", integer
41 values default to 0, and string and dataset values default to being un‐
42 defined.
43
44
46 AuthservID (string)
47 Sets the "authserv-id" to use when generating the Authentica‐
48 tion-Results: header field after verifying a message. The de‐
49 fault is to use the name of the MTA processing the message. If
50 the string "HOSTNAME" is provided, the name of the host running
51 the filter (as returned by the gethostname(3) function) will be
52 used.
53
54
55 AuthservIDWithJobID (Boolean)
56 If "true", requests that the authserv-id portion of the added
57 Authentication-Results: header fields contain the job ID of the
58 message being evaluated.
59
60
61 AutoRestart (Boolean)
62 Automatically re-start on failures. Use with caution; if the
63 filter fails instantly after it starts, this can cause a tight
64 fork(2) loop.
65
66
67 AutoRestartCount (integer)
68 Sets the maximum automatic restart count. After this number of
69 automatic restarts, the filter will give up and terminate. A
70 value of 0 implies no limit; this is the default.
71
72
73 AutoRestartRate (string)
74 Sets the maximum automatic restart rate. If the filter begins
75 restarting faster than the rate defined here, it will give up
76 and terminate. This is a string of the form n/t[u] where n is
77 an integer limiting the count of restarts in the given interval
78 and t[u] defines the time interval through which the rate is
79 calculated; t is an integer and u defines the units thus repre‐
80 sented ("s" or "S" for seconds, the default; "m" or "M" for min‐
81 utes; "h" or "H" for hours; "d" or "D" for days). For example,
82 a value of "10/1h" limits the restarts to 10 in one hour. There
83 is no default, meaning restart rate is not limited.
84
85
86 Background (Boolean)
87 Causes opendmarc to fork and exits immediately, leaving the ser‐
88 vice running in the background. The default is "true".
89
90
91 BaseDirectory (string)
92 If set, instructs the filter to change to the specified direc‐
93 tory using chdir(2) before doing anything else. This means any
94 files referenced elsewhere in the configuration file can be
95 specified relative to this directory. It's also useful for ar‐
96 ranging that any crash dumps will be saved to a specific loca‐
97 tion.
98
99
100 ChangeRootDirectory (string)
101 Requests that the operating system change the effective root di‐
102 rectory of the process to the one specified here prior to begin‐
103 ning execution. chroot (2) requires superuser access. A warning
104 will be generated if UserID is not also set.
105
106
107 CopyFailuresTo (string)
108 Adds the specified recipient to the message's envelope if it
109 fails the DMARC evaluation.
110
111
112 DomainWhitelist (string)
113 A brief list of whitelisted domains for which ARC signature
114 headers are trusted as determined by evaluating entries in the
115 "arc.chain" field found in a locally generated Authentication-
116 Results header.
117
118 This list will be concatenated with DomainWhitelistFile (if pro‐
119 vided).
120
121
122 DomainWhitelistFile (string)
123 A comprehensive list of whitelisted domains for which ARC signa‐
124 ture headers are trusted as determined by evaluating entries in
125 the "arc.chain" field found in a locally generated Authentica‐
126 tion-Results header.
127
128 This list will be concatenated with DomainWhitelist (if pro‐
129 vided).
130
131
132 DomainWhitelistSize (integer)
133 Sets the capacity of the whitelisted domains data structure. The
134 value specifies the maximum number of entries including domains
135 listed in the DomainWhitelist configuration parameter and the
136 domains listed in the DomainWhiteListFile. The final size will
137 be increased by approximately 20% to increase the efficiency of
138 the hashing algorithm.
139
140
141 DNSTimeout (integer)
142 Sets the DNS timeout in seconds. A value of 0 causes an infi‐
143 nite wait. The default is 5. Ignored if not using an asynchro‐
144 nous resolver package.
145
146
147 EnableCoredumps (Boolean)
148 On systems that have such support, make an explicit request to
149 the kernel to dump cores when the filter crashes for some rea‐
150 son. Some modern UNIX systems suppress core dumps during
151 crashes for security reasons if the user ID has changed during
152 the lifetime of the process. Currently only supported on Linux.
153
154
155 FailureReports (Boolean)
156 Enables generation of failure reports when the DMARC test fails
157 and the purported sender of the message has requested such re‐
158 ports. Reports are formatted per RFC6591.
159
160
161 FailureReportsBcc (string)
162 When failure reports are enabled and one is to be generated, al‐
163 ways send one to the address(es) specified here. If a failure
164 report is requested by the domain owner, the address(es) are
165 added in a Bcc: field. If no request is made, they address(es)
166 are used in a To: field. There is no default.
167
168
169 FailureReportsOnNone (Boolean)
170 Supplementary to the previous setting, enables generation of
171 failure reports for sending domains that publish a "none" pol‐
172 icy.
173
174
175 FailureReportsSentBy (string)
176 Sets the value of the From: field to be used when sending fail‐
177 ure reports (see above). The default is to use the userid of
178 the user executing the filter and the local host name to con‐
179 struct an email address.
180
181
182 HistoryFile (string)
183 If set, specifies the location of a text file to which records
184 are written that can be used to generate DMARC aggregate re‐
185 ports. Records are batches of rows containing information about
186 a single received message, and include all relevant information
187 needed to generate a DMARC aggregate report. It is expected
188 that this will not be used in its raw form, but rather periodi‐
189 cally imported into a relational database from which the aggre‐
190 gate reports can be extracted using opendmarc-importstats(8).
191
192
193 IgnoreAuthenticatedClients (Boolean)
194 If set, causes mail from authenticated clients (i.e., those that
195 used SMTP AUTH) to be ignored by the filter. The default is
196 "false".
197
198
199 IgnoreHosts (string)
200 Specifies the path to a file that contains a list of hostnames,
201 IP addresses, and/or CIDR expressions identifying hosts whose
202 SMTP connections are to be ignored by the filter. If not speci‐
203 fied, defaults to "127.0.0.1" only.
204
205
206 IgnoreMailFrom (string)
207 Gives a list of domain names whose mail (based on the From: do‐
208 main) is to be ignored by the filter. The list should be comma-
209 separated. Matching against this list is case-insensitive. The
210 default is an empty list, meaning no mail is ignored.
211
212
213 MilterDebug (integer)
214 Sets the debug level to be requested from the milter library.
215 The default is 0.
216
217
218 PidFile (string)
219 Specifies the path to a file that should be created at process
220 start containing the process ID.
221
222
223 PublicSuffixList (string)
224 Specifies the path to a file that contains top-level domains
225 (TLDs) that will be used to compute the Organizational Domain
226 for a given domain name, as described in the DMARC specifica‐
227 tion. If not provided, the filter will not be able to determine
228 the Organizational Domain and only the presented domain will be
229 evaluated. This file should be periodically updated. One loca‐
230 tion to retrieve the file from is https://publicsuffix.org/list/
231
232
233 RecordAllMessages (Boolean)
234 If set and HistoryFile is in use, all received messages are
235 recorded to the history file. If not set (the default), only
236 messages for which the From: domain published a DMARC record
237 will be recorded in the history file.
238
239
240 RejectFailures (Boolean)
241 If set, messages will be rejected if they fail the DMARC evalua‐
242 tion, or temp-failed if evaluation could not be completed. By
243 default, no message will be rejected or temp-failed regardless
244 of the outcome of the DMARC evaluation of the message. Instead,
245 an Authentication-Results header field will be added. The de‐
246 fault is "false".
247
248
249 RejectMultiValueFrom (Boolean)
250 If set, messages with multiple addresses in the From: field of
251 the message will be rejected unless all domain names in that
252 field are the same. They will otherwise be ignored by the fil‐
253 ter (the default).
254
255
256 ReportCommand (string)
257 Indicates the shell command to which failure reports should be
258 passed for delivery when FailureReports is enabled. Defaults to
259 /usr/sbin/sendmail.
260
261
262 RequiredHeaders (Boolean)
263 If set, the filter will ensure the header of the message con‐
264 forms to the basic header field count restrictions laid out in
265 RFC5322, Section 3.6. Messages failing this test are rejected
266 without further processing. A From: field from which no domain
267 name could be extracted will also be rejected.
268
269
270 Socket (string)
271 Specifies the socket that should be established by the filter to
272 receive connections from sendmail(8) in order to provide ser‐
273 vice. socketspec is in one of two forms: local:path, which cre‐
274 ates a UNIX domain socket at the specified path, or
275 inet:port[@host] or inet6:port[@host] which creates a TCP socket
276 on the specified port for the appropriate protocol family. If
277 the host is not given as either a hostname or an IP address, the
278 socket will be listening on all interfaces. This option is
279 mandatory either in the configuration file or on the command
280 line. If an IP address is used, it must be enclosed in square
281 brackets.
282
283
284 SoftwareHeader (Boolean)
285 Causes opendmarc to add a "DMARC-Filter" header field indicating
286 the presence of this filter in the path of the message from in‐
287 jection to delivery. The product's name, version, and the job
288 ID are included in the header field's contents.
289
290
291 SPFIgnoreResults (Boolean)
292 Causes the filter to ignore any SPF results in the header of the
293 message. This is useful if you want the filter to perform SPF
294 checks itself, or because you don't trust the arriving header.
295 The default is "false".
296
297
298 SPFSelfValidate (Boolean)
299 Causes the filter to perform a fallback SPF check itself when it
300 can find no SPF results in the message header. If SPFIgnoreRe‐
301 sults is also set, it never looks for SPF results in headers and
302 always performs the SPF check itself when this is set. The de‐
303 fault is "false".
304
305
306 Syslog (Boolean)
307 Log via calls to syslog(3) any interesting activity.
308
309
310 SyslogFacility (string)
311 Log via calls to syslog(3) using the named facility. The facil‐
312 ity names are the same as the ones allowed in syslog.conf(5).
313 The default is "mail".
314
315
316 TrustedAuthservIDs (string)
317 Provides a list of authserv-ids that are to be used to identify
318 Authentication-Results header fields whose contents are to be
319 assumed as valid input for the DMARC assessment. To provide a
320 list, separate values by commas. If the string "HOSTNAME" is
321 provided, the name of the host running the filter (as returned
322 by the gethostname(3) function) will be used. Matching against
323 this list is case-insensitive. The default is to use the value
324 of AuthservID.
325
326
327 UMask (integer)
328 Requests a specific permissions mask to be used for file cre‐
329 ation. This only really applies to creation of the socket when
330 Socket specifies a UNIX domain socket, and to the PidFile (if
331 any); temporary files are created by the mkstemp(3) function
332 that enforces a specific file mode on creation regardless of the
333 process umask. See umask(2) for more information.
334
335
336 UserID (string)
337 Attempts to become the specified userid before starting opera‐
338 tions. The value is of the form userid[:group]. The process
339 will be assigned all of the groups and primary group ID of the
340 named userid unless an alternate group is specified.
341
343 /etc/opendmarc.conf
344 Default location of this file.
345
347 This man page covers version 1.4.1 of opendmarc.
348
349
351 Copyright (c) 2012-2015, 2018, 2021, The Trusted Domain Project. All
352 rights reserved.
353
355 opendmarc(8), opendmarc-importstats(8), sendmail(8)
356
357 RFC4408 - Sender Policy Framework
358
359 RFC5451 - Message Header Field for Indicating Message Authentication
360 Status
361
362 RFC5965 - An Extensible Format for Email Feedback Reports
363
364 RFC6376 - DomainKeys Identified Mail
365
366 RFC6591 - Authentication Failure Reporting Using the Abuse Reporting
367 Format
368
369
370
371 The Trusted Domain Project opendmarc.conf(5)