dnscontrol
dnscontrol copied to clipboard
StackExchange
[Feature] DMARC dynamic external reporting
I am currently using the DMARC_BUILDER with my domains and it is working great. I think a great addition to it would be a DMARC_REPORT(?) builder.
When reporting to a different domain than the one of the DMARC record, an entry needs to be made under the destination domain to explicitly allow reception of DMARC reports for the domain. More details here
In my case I am sending all the reports to [email protected], so the rua for mydomain.net, mydomain.com, etc is always mailto:[email protected].
Under mydomain.email I have the following
TXT('mydomain.com._report._dmarc', 'v=DMARC1'),
TXT('mydomain.net._report._dmarc', 'v=DMARC1'),
I think this could probably be automated so that when the DMARC_BUILDER generate a record, it checks the rua domain and if it is in the same configuration and has a {DMARC_REPORT} entry then the DMARC_REPORT entry gets automatically generated.
Sounds good! Do you have one that you are using and could submit as a PR?
The code would go in pkg/js/helpers.js
(I'm not a DMARC administrator so I'm not the best person to implement it.)
Tom
I am currently using the DMARC_BUILDER with my domains and it is working great.
Great! Love to hear that.
I don't want to discourage you, but, from my point of view, this doesn't add a lot of value, compared to the complexity of implementation. You'd have to account for people receiving DMARC reports on a subdomain that's not a zone on its own, as an org-domain lookup is not part of the verification process for external domain, for example.
Take facebook.com. and their DMARC record:
_dmarc.facebookmail.com. 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100"
facebookmail.com. cannot publish a verification record at facebook.com._report._dmarc.facebookmail.com., but rather has to publish one at facebook.com._report._dmarc.dmarc.facebookmail.com.; which they don't, lol.
Nevertheless, I see potential for automation here, but I think it would need to add more functionality and complexity, and, as a result, should not be part of the core, in my opinion.
It's reminding me a bit of my SPF builder, which assembles an SPF record after the fact from policies added in the domain modifiers. But this would need to work across zones, increasing the complexity even further. I may be able to make some time and publish it soon™.
Nevertheless, I see potential for automation here,
That is exactly the reason why opened this feature request. I have to admit I did not give it a ton of thought on the "how" and "is it worth the effort" and unfortunately I have close to zero coding knowledge to make this happen.
I have close to 60 domains for which I have DMARC entries that report to a different domain also managed in dnscontrol. Right now I only have 3 using the DMARC BUILDER but I saw the use case right away for automatic management of the _report record.
One way of doing it could be to add a field named "report_domain" under de DMARC_BUILDER where one could set the domain name where the additionnal _report record needs to be created. Then maybe have a "DMARC_REPORT_BUILDER" entry listed under the domain where we want the entries automatically generated.
What has worked well in the past is for people to write and use the function locally in their own dnsconfig.js file. If it proves useful after a while, propose including it in the project's helpers.js file. By showing it has been in production for a while demonstrates that it is solving a real problem and the vets the implementation.