There are many tutorials on how to setup OpenDMARC on your favorite flavor of Linux, but they all focus on single server configurations. My goal was to keep backup secondary MX servers, but enforce RejectFailures true
for DMARC p=reject
to be actually satisfied.
This led to a problem: the example configuration has TrustedAuthservIDs HOSTNAME
for uptream SPF and DKIM sources. If this was used to list secondary MX servers, it would allow bypassing the OpenDMARC checks completely on the primary MX with a single forged header.
Authentication-Results: <HOSTNAME>;
dkim=pass (1024-bit key; unprotected) header.d=example.com header.i=@example.com;
How to configure trust between the primary and the secondary MX without this flaw?
This is a rewrite of another question on Security Stack Exchange for the scope of Server Fault.