Santronics Online

DMARC Policy Zone Record Generator and Test Simulator v3.0

This wizard helps prepare the DMARC and ATPS zone records for authorizing 1st and 3rd party DKIM signers. It also allows you test it against various signer domains. Read Description Below

Enter AUTHOR-DOMAIN:

This is the domain of the From: address in your email messages.

 Example: example.com

Author Domain Signing Practice DMARC Options:

Enter DMARC record "p=" failure handling policy tag value you wish to publish (expose to the world):

none, no action is taken on failed mail.
quarantine, separate the failed mail from user's main mailbox, inbox, pop3 stream, etc.
reject, immediately reject/discard the failed mail.

Enter ATPS protocol extension options:

Use ATPS (Authorized Third Party Signer)
Use ASL (Allowed Signer List)

Proposed additional options to ATPS draft.

Support ATPS Sub Domains Lookups
Add ATPS record value with domain name (for reading purposes)
- 

DKIM identifier alignment (adkim=):

relaxed
strict

SPF identifier alignment (aspf=):

relaxed
strict

Sub-Domain Policy Type (sp=):

The policy that defines how you would like the ISPs to handle messages that failed SPF and DKIM from a sub domain. If you are unsure if your sub domains is authenticating all emails choose 'None'. You will still receive reports.

none, no action is taken on failed mail.
quarantine, separate the failed mail from user's main mailbox, inbox, pop3 stream, etc.
reject, immediately reject/discard the failed mail.

Percent of failures before reports are sent (pct=):

The percent of the messages from your domain you want to ISPs to check, we recommend 100%

%

Aggregate Report Email Addresses (rua=):

The email where you want to receive reports from the ISPs of which messages failed SPF and DKIM checks (DMARC) for your domain.

rua size:

The maximum size of of the RUA email files to send, most email servers have size restrictions. "m" = Megs, "g" = Gigs, "k" - Kilo, "t" - Terra (Bytes)

Forensic Report Email Addresses (ruf=):

The email where you want to receive sample messages that are failing SPF and DKIM checks (DMARC) for your domain.

ruf size:

The maximum size of of the RUF email files to send, most email servers have size restrictions. "m" = Megs, "g" = Gigs, "k" - Kilo, "t" - Terra (Bytes)

Report Format (rf=):

You can choose to have reports sent in one of two different formats, 'iodef' Incident Object Description Exchange Format or 'afrf' Authentication Failure Reporting Format.

afrf
iodef

Reporting Interval (ri=).

The time in seconds that aggregate reports should be generate between 1 and 4294967295. 86400 represents 1 day
List of Authorized SIGNER-DOMAINS:

These are the domains authorized to sign your mail. It is the signer domain in the d= tag of the DKIM-Signature created for the signed message. You can add multiple domains using space, comma delimited or per line.

For example, suppose your email domain is mydomain.com and you use Google's Gmail to send mail using this domain as an 2nd account on gmail, then you should add gmail.com as an 3rd party authorized signer of your mydomain.com author domain. You should also add any List domain you know are signing mail, like ietf.org


Make BIND.DNS for BIND-based DNS Server
Make DNSCMD Batch Commands for Microsoft DNS Server

Signed Message Policy Tester

Enter DKIM-Signature Header d= domain:. You may enter more than one domain separated by a comma to perform multiple signer test. The domains you enter will be compared to the Authorized Domains you enter above for 3rd party authorization.

Legend:

AUTHOR-DOMAINThe domain part of the email message From: header field
SIGNER-DOMAINThe domain in the DKIM-Signature d= tag is the responsible signer of the message.
1st Party SignatureThis is when the AUTHOR-DOMAIN and SIGNER-DOMAIN are the same.
3rd Party SignatureThis is when the AUTHOR-DOMAIN and SIGNER-DOMAIN are NOT the same.

DMARC is a policy layer for DKIM. It is an optional protocol to help protect domain signers against unauthorized signing (spoofing and phishing).

The following IETF documents provide the details:

New extensions to DMARC offers a way to authorized third party signatures. The ATPS proposal adds an optional tag to the DMARC record called "atps=y". If set, then additional TXT records per signer can be checked for authorization. The ASL proposal combines a simple lite weight method to define a small list of authorized signers in a DMARC record tag called "asl=".

Example DMARC records:

  #1  _dmarc.example.com  = v=dmarc1; p=reject"
  #2  _dmarc.example.com  = v=dmarc1; p=reject; asl=gmail.com;"
  #3  _dmarc.example.com  = v=dmarc1; p=reject; atps=y asl=gmail.com;"

In example #1, there is no third party authorization preparation. Only example.com can sign its own mail.

In example #2, example.com is declaring only itself and gmail.com can sign mail on its behalf.

In example #3, example.com is declaring only itself and gmail.com can sign mail on its behalf. However, with atps=y set, other third party signers may be authorized using DNS TXT "_atps" subdomain records using a special hashing method to prepare the sub-domain record: 

   base32(sha1(SIGNER-DOMAIN))._atps.example.com

The SIGNER-DOMAIN is obtain from the DKIM-Signature d= tag value.

This wizard helps prepare the ZONE record for all the ASL/ATPS options. It also allows you test it against various signer domains. The two proposed changes to ATPS:

   [_] Add ATPS record value with domain name
   [_] Support ATPS Sub Domains Lookups

The first one is designed to help with manual editing of zone files to help associate the signer domain ATPS hashes.

The second option allows you to create a single ATPS record for the originating domain sub-domains using a wildcard hashing of the author-domain, i.e. *.example.com.

ASL (Allowed Signer List) Proposal

The ASL draft is still under construction. The following are the steps the DMARC ASL/ATPS verifier will perform:

   1) Obtain the AUTHOR-DOMAIN and perform TXT query the DMARC
      record to obtain the value.:

       _dmarc.AUTHOR-DOMAIN

   2) If no DMARC record is found (NXDOMAIN), return DMARC=NONE

   3) Obtain the SIGNER-DOMAIN and compare with the AUTHOR-DOMAIN

      If the two domains are the same, return DMARC=PASS, otherwise
      continue with third party authorization checking.

   4) If an asl= tag is present, check the SIGNER-DOMAIN within
      the asl= list of domains.

      If SIGNER-DOMAIN is found in the asl= list, return DMARC=PASS

   5) If an atps=y tag is present, perform the steps as outlined in
      [ATPS]

   6) return DMARC=FAIL