Edit existing DNS records

lucaat · July 4, 2025, 2:02pm

The miab DNS records for dmarc do not contain the tags necessary for dmarc reporting.

this is part of the standard.

what is the procedure to add the relevant DNS entries?

I added a custom entry for the same issue concerning MTA-STS reporting. But that type of entry did not exist before, so adding a new one is fine.

but for DMARC it is more about editing the existing entry.

I changed it in /etc/nsd/zones/domain.txt but the changes do no appear reflected in the web panel.

I think it would be better if DNS entries can be changed in the web control panel.

KiekerJan · July 4, 2025, 2:15pm

If you create it as a custom DNS entry, it will “overwrite” the automatically generated one.

Out of interest: what are going to do with the dmarc reports? In the past I configured the rua for mailhardener, but I wonder if there’s an easy way to parse them on the box itself.

lucaat · July 5, 2025, 10:35pm

I think it would be beneficial to have a function to edit existing DNS records.

I recently got into reporting out of curiosity for the correct spec.

the failure reports can be enabled in opendmarc.conf and you can also enable the aggregate reports like the big players with something like:

oh2fih/OpenDMARC-Reports: Automate OpenDMARC reports securely.

The reports do help you to identfy people trying to abuse you.

You can use this as a test after enabling failure reports:

Email Spoof Test dot com

Also to actually act on it:

RejectFailures false

I turn that to true.

I think it provides valuable insights.

I setup a verifydmarc dot com account to have some GUI oversight. (can also collect mta-sts)

I also got into actually honoring MTA-STS, this requires an MTA-STS resolver like:

Zuplu/postfix-tlspol: Lightweight MTA-STS + DANE/TLSA resolver and TLS policy server for Postfix, prioritizing DANE.

And Postfix 3.10.x

I dont know about ubuntu, for rhel it was compiled recently by third party repo with TSLRPT support.

and then

sys4/tlsrpt-reporter: An application suite to receive TLSRPT datagrams and to generate and deliver TLSRPT reports

also with thirdparty repo rpm.

For Postfix this is all a bit adventureous at the moment IMO.

But necessary to actually honor MTA-STS when sending mail, not just DNS entries on how you want to be treated.

I set it up on a virtualmin based server.

What I love about MIAB is that it is somewhat hassle free cocerning DNS because you can set it to act as its own DNS with two glue records and be done with it, and not start to dance around updating DANE TLSA records etc…

Stalwart as an alternative is the only mail server I know that fully implements the DMARC and MTA-STS spec out of the box. But it cannot act as its own DNS server.

and setting up external records is a drag IMO.

lucaat · July 5, 2025, 11:17pm

I also just found this for what you might want:

[cry-inc/dmarc-report-viewer: Lightweight Standalone DMARC and SMTP TLS Report Viewer with IMAP Client

sorry I cant post links.

KiekerJan · July 6, 2025, 2:15pm

Thank you for that info!

Another mail server I like is Mox which is also very standards focused.

This looks interesting, going to try it.