Sets the "authserv-id" to use when generating the Authentication-Results:
header field after verifying a message. The default is to use the name of
the MTA processing the message. If the string "HOSTNAME" is provided, the
name of the host running the filter (as returned by the
gethostname(3) function) will be used.
If "true", requests that the authserv-id portion of the added
Authentication-Results: header fields contain the job ID of the message being
Automatically re-start on failures. Use with caution; if the filter
fails instantly after it starts, this can cause a tight
Sets the maximum automatic restart count. After this number of
automatic restarts, the filter will give up and terminate.
A value of 0 implies no limit; this is the default.
Sets the maximum automatic restart rate. If the filter begins restarting
faster than the rate defined here, it will give up and terminate.
This is a string of the form
n is an integer limiting the count of restarts in the given interval and
t[u] defines the time interval through which the rate is calculated;
t is an integer and
u defines the units thus represented ("s" or "S" for seconds, the default;
"m" or "M" for minutes; "h" or "H" for hours; "d" or "D" for days). For
example, a value of "10/1h" limits the restarts to 10 in one hour. There
is no default, meaning restart rate is not limited.
opendmarc to fork and exits immediately, leaving the service running in the background.
The default is "true".
If set, instructs the filter to change to the specified directory using
chdir(2) before doing anything else. This means any files referenced elsewhere
in the configuration file can be specified relative to this directory.
Its also useful for arranging that any crash dumps will be saved to
a specific location.
Requests that the operating system change the effective root directory
of the process to the one specified here prior to beginning execution.
chroot (2) requires superuser access. A warning will be generated if
UserID is not also set.
Adds the specified recipient to the messages envelope if it fails the DMARC
Sets the DNS timeout in seconds. A value of 0 causes an infinite wait.
The default is 5. Ignored if not using an asynchronous resolver package.
On systems that have such support, make an explicit request to the kernel
to dump cores when the filter crashes for some reason. Some modern UNIX
systems suppress core dumps during crashes for security reasons if the
user ID has changed during the lifetime of the process. Currently only
supported on Linux.
Enables generation of failure reports when the DMARC test fails and the
purported sender of the message has requested such reports. Reports are
formatted per RFC6591.
When failure reports are enabled and one is to be generated, always send one
to the address(es) specified here. If a failure report is requested by
the domain owner, the address(es) are added in a Bcc: field. If no request
is made, they address(es) are used in a To: field. There is no default.
Supplementary to the previous setting, enables generation of failure reports
for sending domains that publish a "none" policy.
Sets the value of the From: field to be used when sending failure reports
(see above). The default is to use the userid of the user executing the
filter and the local host name to construct an email address.
If set, specifies the location of a text file to which records are written
that can be used to generate DMARC aggregate reports. Records are
batches of rows containing information about a single received message,
and include all relevant information needed to generate a DMARC aggregate
report. It is expected that this will not be used in its raw form, but
rather periodically imported into a relational database from which the
aggregate reports can be extracted.
If set, causes mail from authenticated clients (i.e., those that used
SMTP AUTH) to be ignored by the filter. The default is "false".
Specifies the path to a file that contains a list of hostnames, IP addresses,
and/or CIDR expressions identifying hosts whose SMTP connections are to be
ignored by the filter. If not specified, defaults to "127.0.0.1" only.
Gives a list of domain names whose mail (based on the From: domain) is to
be ignored by the filter. The list should be comma-separated. Matching
against this list is case-insensitive. The default is an empty list, meaning
no mail is ignored.
Sets the debug level to be requested from the milter library. The
default is 0.
Specifies the path to a file that should be created at process start
containing the process ID.
Specifies the path to a file that contains top-level domains (TLDs) that
will be used to compute the Organizational Domain for a given domain name,
as described in the DMARC specification. If not provided, the filter will
not be able to determine the Organizational Domain and only the presented
domain will be evaluated.
If set and
HistoryFile is in use, all received messages are recorded to the history file. If not set
(the default), only messages for which the From: domain published a DMARC
record will be recorded in the history file.
If set, messages will be rejected if they fail the DMARC evaluation, or
temp-failed if evaluation could not be completed. By default, no message will
be rejected or temp-failed regardless of the outcome of the DMARC evaluation of
the message. Instead, an Authentication-Results header field will be added.
The default is "false".
Indicates the shell command to which failure reports should be passed for
FailureReports is enabled. Defaults to
If set, the filter will ensure the header of the message conforms to the basic
header field count restrictions laid out in RFC5322, Section 3.6. Messages
failing this test are rejected without further processing. A From:
field from which no domain name could be extracted will also be rejected.
Specifies the socket that should be established by the filter to receive
sendmail(8) in order to provide service.
socketspec is in one of two forms:
local:path, which creates a UNIX domain socket at the specified
inet6:port[@host] which creates a TCP socket on the specified
port for the appropriate protocol family. If the
host is not given as either a hostname or an IP address, the socket will be
listening on all interfaces. This option is mandatory either in the
configuration file or on the command line. If an IP address is used,
it must be enclosed in square brackets.
opendmarc to add a "DMARC-Filter" header field indicating the presence of this filter in
the path of the message from injection to delivery. The products name,
version, and the job ID are included in the header fields contents.
Causes the filter to ignore any SPF results in the header of the
message. This is useful if you want the filter to perfrom SPF checks
itself, or because you dont trust the arriving header. The default is "false".
Causes the filter to perform a fallback SPF check itself when
it can find no SPF results in the message header. If SPFIgnoreResults
is also set, it never looks for SPF results in headers and
always performs the SPF check itself when this is set. The default is "false".
Log via calls to
syslog(3) any interesting activity.
Log via calls to
syslog(3) using the named facility. The facility names are the same as the ones
syslog.conf(5). The default is "mail".
Provides a list of authserv-ids that are to be used to identify
Authentication-Results header fields whose contents are to be assumed as valid
input for the DMARC assessment. To provide a list, separate values by commas.
If the string "HOSTNAME" is provided, the name of the host running the filter
(as returned by the
gethostname(3) function) will be used. Matching against this list is case-insensitive. The
default is to use the value of
Requests a specific permissions mask to be used for file creation.
This only really applies to creation of the socket when
Socket specifies a UNIX domain socket, and to the
PidFile (if any); temporary files are created by the
mkstemp(3) function that enforces a specific file mode on creation regardless
of the process umask. See
umask(2) for more information.
|Attempts to become the specified userid before starting operations. The value is of the form userid[:group]. The process will be assigned all of the groups and primary group ID of the named userid unless an alternate group is specified.|
/usr/local/etc/opendmarc.conf Default location of this file.
This man page covers version 1.3.1 of opendmarc.
Copyright (c) 2012-2015, The Trusted Domain Project. All rights reserved.
RFC4408 - Sender Policy Framework
RFC5451 - Message Header Field for Indicating Message Authentication Status
RFC5965 - An Extensible Format for Email Feedback Reports
RFC6376 - DomainKeys Identified Mail
RFC6591 - Authentication Failure Reporting Using the Abuse Reporting Format
|-->||OPENDMARC.CONF (5)||The Trusted Domain Project|