DMARC RUA/RUF infamously suffer from an abundance of delivery errors. Sending out DMARC reports usually leads to the local mail queue filling up with undeliverable messages.

measurement.network provides an RBL service compatible with rspamd, allowing automatic checking of RUA/RUF’s deliverbaility.

The service uses the platform of email-security-scans.org to regularly (every two weeks for each domain) issue empty (no messages observed) DMARC reports for all domains it monitors.

Endpoints

The service provides two simple end-points for checking either a domain or specific RUA:

• For Domains: https://stalemarc.measurement.network/api/checkDomain.php?key=example.com
• For RUA/RUF: https://stalemarc.measurement.network/api/checkRua.php?key=rua@example.com

The endpoints return either 404 (sending should continue/not enough negative information found) or 200 (DMARC reports should not be sent).

rspamd configuration

To configure rspamd to use this service, it needs to support external_maps for the DMARC module. This has been added in a recent PR, and will likely be available in versions newer than 3.13.2.

The following settings have to be added to the DMARC configuration:

                exclude_domains = {
                        external = true;
                        backend = "https://stalemarc.measurement.network/api/checkDomain.php";
                        method = "query";
                        encode = "json";
                        timeout = 1.0;
                }
                exclude_rua_addresses = {
                        external = true;
                        backend = "https://stalemarc.measurement.network/api/checkRua.php";
                        method = "query";
                        encode = "json";
                        timeout = 1.0;
                }

Note: Both exclude_domains and exclude_rua_addresses should be set; This ensures that domains not yet known by the service are also included in future checks.