opendmarc(8) DMARC email policy filter for MTAs


opendmarc [-A] [-c configfile] [-f] [-l] [-n] [-p socketspec] [-P pidfile] [-t file[,file[...]]] [-u userid[:group]] [-v] [-V]


opendmarc implements the proposed DMARC specification for authentication of message and reporting of observed traffic.

opendmarc uses the milter interface, originally distributed as part of version 8.11 of sendmail(8), to provide a DMARC processing service for mail transiting a milter-aware MTA.

Most, if not all, of the command line options listed below can also be set using a configuration file. See the -c option for details.

opendmarc relies on addition of Authentication-Results fields by upsteam filters on trusted hosts to collect input to the DMARC algorithm. It does not itself do DKIM or SPF evaluation.


Automatically re-start on failures. Use with caution; if the filter fails instantly after it starts, this can cause a tight fork(2) loop. This can be mitigated using some values in the configuration file to limit restarting. See opendmarc.conf(5).
-c configfile
Read the named configuration file. See the opendmarc.conf(5) man page for details. Values in the configuration file are overridden when their equivalents are provided on the command line until a configuration reload occurs. The OPERATION section describes how reloads are triggered. The default is to read a configuration file from /etc/opendmarc.conf if one exists, or otherwise to apply defaults to all values.
Normally opendmarc forks and exits immediately, leaving the service running in the background. This flag suppresses that behaviour so that it runs in the foreground.
Log via calls to syslog(3) any interesting activity.
Parse the configuration file and command line arguments, reporting any errors found, and then exit. The exit value will be 0 if the filter would start up without complaint, or non-zero otherwise.
-p socketspec
Specifies the socket that should be established by the filter to receive connections from sendmail(8) in order to provide service. socketspec is in one of two forms: local:path which creates a UNIX domain socket at the specified path, or inet:port[@host] or inet6:port[@host] which creates a TCP socket on the specified port within the specified protocol family. If the host is not given as either a hostname or an IP address, the socket will be listening on all interfaces. If neither socket type is specified, local is assumed, meaning the parameter is interpreted as a path at which the socket should be created. If an IP address is used, it must be enclosed in square brackets. This parameter is mandatory.
-P pidfile
Specifies a file into which the filter should write its process ID at startup.
-t file[,file[,...]]
Reads email messages from the named files and processes them as if they were received by the filter. The service is not started, and actions normally sent back to the MTA will instead be printed on standard output.
-u userid[:group]
Attempts to be come the specified userid before starting operations. The process will be assigned all of the groups and primary group ID of the named userid unless an alternate group is specified. See the FILE PERMISSIONS section for more information.
Increase verbose output during test mode (see -t above). May be specified more than once to request increasing amounts of output.
Print the version number and supported canonicalization and signature algorithms, and then exit without doing anything else.


Upon receiving SIGUSR1, if the filter was started with a configuration file, it will be re-read and the new values used. Note that any command line overrides provided at startup time will be lost when this is done. Also, the following configuration file values (and their corresponding command line items, if any) are not reloaded through this process: AutoRestart (-A), AutoRestartCount, AutoRestartRate, Background, MilterDebug, PidFile (-P), Socket (-p), UMask, UserID (-u). The filter does not automatically check the configuration file for changes and reload.


This man page covers version 1.3.1 of opendmarc.


Copyright (c) 2012, The Trusted Domain Project. All rights reserved.