emailspfdkimdmarc

DMARC compliance for an entire data center full of servers


We're in the midst of a project to make all of our mail sources, including third parties that send on our behalf, DMARC compliant. We've run into a snag, namely an entire data center full of servers that send mail (usually just status updates or errors). If the mail's from address is <user@hostname.domain.tld> and we have many of them, and there are new ones added almost weekly, then how do get these compliant?

My understanding of DKIM and SPF, is that we'd need a DNS entry per host, because the receiving mail server checks on those records based on the FQDN of the from address.

Is there a reasonable way to keep using <user@hostname.domain.tld> as the from addresses and still make these 200+ (and changing) servers DMARC compliant?


Solution

  • Yes, this is what DMARC's "relaxed" mode is for. You can set that for both SPF and DKIM matching by adding these elements to your DMARC record:

    aspf=r; adkim=r
    

    However, this is the default behaviour, so you don't actually need to add them at all!

    In this mode, a message from user@hostname.domain.tld would be a relaxed match for domain.tld.